Professional Documents
Culture Documents
Threat Protection (Windows 10) PDF
Threat Protection (Windows 10) PDF
Threat protection
Overview
What is Microsoft Defender Advanced Threat Protection?
Minimum requirements
What's new in Microsoft Defender ATP
Preview features
Data storage and privacy
Portal overview
Microsoft Defender ATP for US Government Community Cloud High customers
Evaluate capabilities
Plan deployment
Deployment guide
Deployment phases
Phase 1: Prepare
Phase 2: Set up
Phase 3: Onboard
Security administration
Threat & Vulnerability Management
Overview of Threat & Vulnerability Management
Supported operating systems and platforms
Dashboard insights
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Attack surface reduction
Overview of attack surface reduction
Attack surface reduction evaluation
Attack surface reduction configuration settings
Attack surface reduction FAQ
Attack surface reduction controls
Attack surface reduction rules
Enable attack surface reduction rules
Customize attack surface reduction rules
Hardware-based isolation
Hardware-based isolation in Windows 10
Hardware-based isolation evaluation
Application isolation
Application guard overview
System requirements
Install Windows Defender Application Guard
Application control
Audit Application control policies
System isolation
System integrity
Device control
Control USB devices
Device Guard
Code integrity
Exploit protection
Protect devices from exploits
Exploit protection evaluation
Network protection
Protect your network
Network protection evaluation
Web protection
Web protection overview
Web threat protection
Web threat protection overview
Monitor web security
Respond to web threats
Web content filtering
Controlled folder access
Protect folders
Controlled folder access evaluation
Network firewall
Network firewall overview
Network firewall evaluation
Next-generation protection
Next-generation protection overview
Evaluate next-generation protection
Configure next-generation protection
Configure Windows Defender Antivirus features
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Prevent security settings changes with tamper protection
Enable Block at first sight
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Configuration overview
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Antivirus on Windows Server 2016
Antivirus compatibility
Compatibility charts
Use limited periodic antivirus scanning
Deploy, manage updates, and report on antivirus
Preparing to deploy
Deploy and enable antivirus
Report on antivirus protection
Manage updates and apply baselines
Customize, initiate, and review the results of scans and remediation
Configuration overview
Configure and validate exclusions in antivirus scans
Configure scanning antivirus options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage antivirus in your business
Management overview
Use Group Policy settings to configure and manage antivirus
Use Microsoft Endpoint Configuration Manager and Microsoft Intune to
configure and manage antivirus
Use PowerShell cmdlets to configure and manage antivirus
Use Windows Management Instrumentation (WMI) to configure and manage
antivirus
Use the mpcmdrun.exe commandline tool to configure and manage antivirus
Manage scans and remediation
Management overview
Configure and validate exclusions in antivirus scans
Configure scanning options
Configure remediation for scans
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage next-generation protection in your business
Handle false positives/negatives in Windows Defender Antivirus
Management overview
Use Microsoft Intune and Microsoft Endpoint Configuration Manager to
manage next generation protection
Use Group Policy settings to manage next generation protection
Use PowerShell cmdlets to manage next generation protection
Use Windows Management Instrumentation (WMI) to manage next generation
protection
Use the mpcmdrun.exe command line tool to manage next generation
protection
Better together: Windows Defender Antivirus and Microsoft Defender ATP
Better together: Windows Defender Antivirus and Office 365
Microsoft Defender Advanced Threat Protection for Mac
What's New
Deploy
Microsoft Intune-based deployment
JAMF-based deployment
Deployment with a different Mobile Device Management (MDM) system
Manual deployment
Update
Configure
Configure and validate exclusions
Set preferences
Detect and block Potentially Unwanted Applications
Troubleshoot
Troubleshoot installation issues
Troubleshoot performance issues
Troubleshoot kernel extension issues
Troubleshoot license issues
Privacy
Resources
Microsoft Defender Advanced Threat Protection for Linux
What's New
Deploy
Manual deployment
Puppet based deployment
Ansible based deployment
Update
Configure
Configure and validate exclusions
Static proxy configuration
Set preferences
Troubleshoot
Troubleshoot installation issues
Troubleshoot cloud connectivity issues
Troubleshoot performance issues
Resources
Configure and manage Microsoft Threat Experts capabilities
Security operations
Endpoint detection and response
Endpoint detection and response overview
Security operations dashboard
Incidents queue
View and organize the Incidents queue
Manage incidents
Investigate incidents
Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate connection events that occur behind forward proxies
Investigate a user account
Machines list
View and organize the Machines list
Manage machine group and tags
Take response actions
Take response actions on a machine
Response actions on machines
Manage tags
Initiate an automated investigation
Initiate Live Response session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machines from the network
Consult a threat expert
Check activity details in Action center
Take response actions on a file
Response actions on files
Stop and quarantine files in your network
Restore file from quarantine
Add indicators to block or allow a file
Consult a threat expert
Check activity details in Action center
Download or collect file
Deep analysis
Submit files for analysis
View deep analysis reports
Troubleshoot deep analysis
View and approve remediation actions
View details and results of automated investigations
Investigate entities using Live response
Investigate entities on machines
Live response command examples
Shadow protection?
Use sensitivity labels to prioritize incident response
Reporting
Power BI - How to use API - Samples
Create and build Power BI reports using Microsoft Defender ATP data
connectors (deprecated)
Threat protection reports
Machine health and compliance reports
Custom detections
Understand custom detections
Create and manage detection rules
Automated investigation and response
Overview of AIR
Advanced hunting
Advanced hunting overview
Learn the query language
Work with query results
Use shared queries
Advanced hunting schema reference
Understand the schema
DeviceAlertEvents
DeviceFileEvents
DeviceImageLoadEvents
DeviceLogonEvents
DeviceInfo
DeviceNetworkInfo
DeviceEvents
DeviceFileCertificateInfoBeta
DeviceNetworkEvents
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmSoftwareInventoryVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
Apply query best practices
Microsoft Threat Experts
Threat analytics
How-to
Onboard devices to the service
Onboard machines to Microsoft Defender ATP
Onboard previous versions of Windows
Onboard Windows 10 machines
Onboarding tools and methods
Onboard machines using Group Policy
Onboard machines using Microsoft Endpoint Configuration Manager
Onboard machines using Mobile Device Management tools
Onboard machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Onboard servers
Onboard non-Windows machines
Onboard machines without Internet access
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Create an onboarding or offboarding notification rule
Troubleshoot onboarding issues
Troubleshoot issues during onboarding
Troubleshoot subscription and portal access issues
Manage machine configuration
Ensure your machines are configured properly
Monitor and increase machine onboarding
Increase compliance to the security baseline
Optimize ASR rule deployment and detections
Configure portal settings
Set up preferences
General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center
data
Enable Secure score security controls
Configure advanced features
Permissions
Use basic permissions to access the portal
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
APIs
Enable SIEM integration
Rules
Manage suppression rules
Manage indicators
Manage automation file uploads
Manage automation folder exclusions
Machine management
Onboarding machines
Offboarding machines
Configure Microsoft Defender Security Center time zone settings
Configure integration with other Microsoft solutions
Configure conditional access
Configure Microsoft Cloud App Security integration
Reference
Management and APIs
Overview of management and APIs
Microsoft Defender ATP API
Get started
Microsoft Defender ATP API license and terms
Access the Microsoft Defender ATP APIs
Hello World
Get access with application context
Get access with user context
Get partner application access
Microsoft Defender ATP APIs Schema
Supported Microsoft Defender ATP APIs
Common REST API error codes
Advanced Hunting
Alert
Machine
Machine Action
Automated Investigation
Indicators
Domain
File
IP
User
Score
Software
Vulnerability
Recommendation
How to use APIs - Samples
Microsoft Flow
Power BI
Advanced Hunting using Python
Advanced Hunting using PowerShell
Using OData Queries
Raw data streaming API
Raw data streaming
Stream advanced hunting events to Azure Events hub
Stream advanced hunting events to your storage account
SIEM integration
Understand threat intelligence concepts
Learn about different ways to pull detections
Enable SIEM integration
Configure Splunk to pull detections
Configure Micro Focus ArcSight to pull detections
Microsoft Defender ATP detection fields
Pull detections using SIEM REST API
Troubleshoot SIEM tool integration issues
Partners & APIs
Partner applications
Connected applications
API explorer
Role-based access control
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
Using machine groups
Create and manage machine tags
Configure managed security service provider (MSSP) integration
Partner integration scenarios
Technical partner opportunities
Managed security service provider opportunity
Become a Microsoft Defender ATP partner
Integrations
Microsoft Defender ATP integrations
Protect users, data, and devices with conditional access
Microsoft Cloud App Security integration overview
Information protection in Windows overview
Windows integration
Access the Microsoft Defender ATP Community Center
Helpful resources
Troubleshoot Microsoft Defender ATP
Troubleshoot sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Review sensor events and errors on machines with Event Viewer
Troubleshoot Microsoft Defender ATP service issues
Troubleshoot service issues
Check service health
Troubleshoot live response issues
Troubleshoot attack surface reduction issues
Network protection
Attack surface reduction rules
Troubleshoot next-generation protection
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry antivirus tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Windows Certifications
FIPS 140 Validations
Common Criteria Certifications
More Windows 10 security
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
Windows Defender SmartScreen
Windows Defender SmartScreen Group Policy and mobile device management
(MDM) settings
Set up and use Windows Defender SmartScreen on individual devices
Windows Sandbox
Windows Sandbox architecture
Windows Sandbox configuration
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
How to list XML elements in \<EventData>
Using advanced security auditing options to monitor dynamic access control
objects
Advanced security audit policy settings
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit User/Device Claims
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Sensitive Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Other Events
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain
controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (if server
agrees)
Microsoft network client: Send unencrypted password to third-party SMB
servers
Microsoft network server: Amount of idle time required before suspending
session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (if client
agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Do not allow storage of passwords and credentials for network
authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use
online identities
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password
change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM
authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the
computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g.
Symbolic Links)
System settings: Optional subsystems
System settings: Use certificate rules on Windows executables for Software
Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator
account
User Account Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in
secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for
elevation
User Account Control: Virtualize file and registry write failures to per-user
locations
Advanced security audit policy settings
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows security guidance for enterprises
Windows security baselines
Security Compliance Toolkit
Get support
MBSA removal and alternatives
Windows 10 Mobile security guide
Change history for Threat protection
Threat Protection
3/16/2020 • 2 minutes to read • Edit Online
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects
endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and
improves security posture.
NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score.
Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
of your organization.
Configuration score
Threat analytics
Microsoft Threat Exper ts
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and
additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to
threats quickly and accurately.
Targeted attack notification
Experts-on-demand
Configure your Microsoft Threat Protection managed hunting service
Centralized configuration and administration, APIs
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
Onboarding
API and SIEM integration
Exposed APIs
Role-based access control (RBAC)
Reporting and trends
Integration with Microsoft solutions
Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
Intune
Office 365 ATP
Azure ATP
Azure Security Center
Skype for Business
Microsoft Cloud App Security
Microsoft Threat Protection
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified
pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and
applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
Microsoft Defender Advanced Threat Protection
3/16/2020 • 3 minutes to read • Edit Online
Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats.
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's
robust cloud service:
Endpoint behavioral sensors : Embedded in Windows 10, these sensors collect and process behavioral
signals from the operating system and sends this sensor data to your private, isolated, cloud instance of
Microsoft Defender ATP.
Cloud security analytics : Leveraging big-data, machine-learning, and unique Microsoft optics across the
Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence : Generated by Microsoft hunters, security teams, and augmented by threat
intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.
TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score.
Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
of your organization.
Microsoft Threat Exper ts
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and
additional context and insights that further empower Security operation centers (SOCs) to identify and respond to
threats quickly and accurately.
IMPORTANT
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get
proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on
service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts
managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features >
Microsoft Threat Exper ts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a
90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
Related topic
Microsoft Defender ATP helps detect sophisticated threats
Minimum requirements for Microsoft Defender ATP
3/13/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
There are some minimum requirements for onboarding machines to the service. Learn about the licensing,
hardware and software requirements, and other configuration settings to onboard devices to the service.
TIP
Learn about the latest enhancements in Microsoft Defender ATP:Microsoft Defender Advanced Threat Protection Tech
Community.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education A5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Microsoft 365 E5 Security
Microsoft 365 A5 (M365 A5)
For detailed licensing information, see the Product terms page and work with your account team to learn the
detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see Compare Windows 10 editions.
For a detailed comparison table of Windows 10 commercial edition comparison, see the comparison PDF.
For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see
Protecting Windows Servers with Microsoft Defender ATP.
Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
Microsoft Edge
Internet Explorer version 11
Google Chrome
NOTE
While other browsers might work, the mentioned browsers are the ones supported.
Hardware and software requirements
Supported Windows versions
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows 10, version 1607 or later
Windows 10 Enterprise
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows server
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803 or later
Windows Server 2019
Machines on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported
editions.
NOTE
Machines that are running mobile versions of Windows are not supported.
NOTE
You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP
for the integration to work.
NOTE
You cannot change your data storage location after the first-time setup.
Review the Microsoft Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.
You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default,
this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
Use the command line to check the Windows 10 diagnostic data ser vice star tup type :
1. Open an elevated command-line prompt on the machine:
a. Go to Star t and type cmd .
b. Right-click Command prompt and select Run as administrator .
2. Enter the following command, and press Enter :
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START , then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data ser vice to automatically star t:
1. Open an elevated command-line prompt on the endpoint:
a. Go to Star t and type cmd .
b. Right-click Command prompt and select Run as administrator .
2. Enter the following command, and press Enter :
3. A success message is displayed. Verify the change by entering the following command, and press Enter :
sc qc diagtrack
Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.
NOTE
Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be
ignored when Tamper Protection is on.
Related topic
Validate licensing and complete setup
Onboard machines
What's new in Microsoft Defender ATP
3/10/2020 • 7 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The following features are generally available (GA) in the latest release of Microsoft Defender ATP as well as
security features in Windows 10 and Windows Server.
For more information preview features, see Preview features.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://docs.microsoft.com/api/search/rss?
search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us
November-December 2019
Microsoft Defender ATP for Mac
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of
the unified endpoint security platform will now be available for Mac devices, including endpoint detection
and response.
Threat & Vulnerability Management application and application version end-of-life information
Applications and application versions which have reached their end-of-life are tagged or labeled as such so
you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing
so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
Threat & Vulnerability Management Advanced Hunting Schemas
Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about
software inventory, vulnerability knowledgebase, security configuration assessment, and security
configuration knowledgebase.
Threat & Vulnerability Management role-based access controls
Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat &
Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific
data to do their task. You can also achieve even further granularity by specifying whether a Threat &
Vulnerability Management role can only view vulnerability-related data, or can create and manage
remediation and exceptions.
October 2019
Indicators for IP addresses, URLs/Domains
You can now allow or block URLs/domains using your own threat intelligence.
Microsoft Threat Experts - Experts on Demand
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help
you in the context of your investigation.
Connected Azure AD applications
The Connected applications page provides information about the Azure AD applications connected to
Microsoft Defender ATP in your organization.
API Explorer
The API explorer makes it easy to construct and perform API queries, test and send requests for any
available Microsoft Defender ATP API endpoint.
September 2019
Tamper Protection settings using Intune
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device
Management portal (Intune).
Live response
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and
take immediate response actions to promptly contain identified threats - real-time.
Evaluation lab
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and
environment configuration so that you can focus on evaluating the capabilities of the platform, running
simulations, and seeing the prevention, detection, and remediation features in action.
Windows Server 2008 R2 SP1
You can now onboard Windows Server 2008 R2 SP1.
June 2019
Threat & Vulnerability Management
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of
endpoint vulnerabilities and misconfigurations.
Machine health and compliance report The machine health and compliance report provides high-level
information about the devices in your organization.
May 2019
Threat protection reports
The threat protection report provides high-level information about alerts generated in your organization.
Microsoft Threat Experts
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that
provides proactive hunting, prioritization, and additional context and insights that further empower security
operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional
layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities
as part of Microsoft 365.
Indicators
APIs for indicators are now generally available.
Interoperability
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and
threat intelligence capabilities of the platform.
April 2019
Microsoft Threat Experts Targeted Attack Notification capability
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much
information as can be quickly delivered thus bringing attention to critical threats in their network, including
the timeline, scope of breach, and the methods of intrusion.
Microsoft Defender ATP API
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
February 2019
Incidents
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities
to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
Onboard previous versions of Windows
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft
Defender ATP sensor.
October 2018
Attack surface reduction rules
All Attack surface reduction rules are now supported on Windows Server 2019.
Controlled folder access
Controlled folder access is now supported on Windows Server 2019.
Custom detection
With custom detections, you can create custom queries to monitor events for any kind of behavior such as
suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the
creation of custom detection rules.
Integration with Azure Security Center
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection
solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to
provide improved threat detection for Windows Servers.
Managed security service provider (MSSP) support
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will
allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security
Center portal, fetch email notifications, and fetch alerts through security information and event
management (SIEM) tools.
Removable device control
Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from
removable devices, including new settings to allow or block specific hardware IDs.
Support for iOS and Android devices
iOS and Android devices are now supported and can be onboarded to the service.
Threat analytics
Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as
soon as emerging threats and outbreaks are identified. The reports help security operations teams assess
impact on their environment and provides recommended actions to contain, increase organizational
resilience, and prevent specific threats.
New in Windows 10 version 1809, there are two new attack surface reduction rules:
Block Adobe Reader from creating child processes
Block Office communication application from creating child processes.
Windows Defender Antivirus
Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA + AMSI:
Parting the veil on malicious macros.
Windows Defender Antivirus, new in Windows 10 version 1809, can now run within a sandbox (preview),
increasing its security.
Configure CPU priority settings for Windows Defender Antivirus scans.
March 2018
Advanced Hunting
Query data using advanced hunting in Microsoft Defender ATP.
Attack surface reduction rules
New attack surface reduction rules:
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable content from email client and webmail
Automated investigation and remediation
Use Automated investigations to investigate and remediate threats.
NOTE
Available from Windows 10, version 1803 or later.
Conditional Access
Enable conditional access to better protect users, devices, and data.
Microsoft Defender ATP Community center
The Microsoft Defender ATP Community Center is a place where community members can learn,
collaborate, and share experiences about the product.
Controlled folder access
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
Onboard non-Windows machines
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft
Defender Security Center and better protect your organization's network.
Role-based access control (RBAC)
Using role-based access control (RBAC), you can create roles and groups within your security operations
team to grant appropriate access to the portal.
Windows Defender Antivirus
Windows Defender Antivirus now shares detection status between M365 services and interoperates with
Microsoft Defender ATP. For more information, see Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection.
Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as
executable files. For more information, see Enable block at first sight.
Microsoft Defender ATP preview features
3/23/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and
capabilities.
TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming
features by turning on the preview experience.
For more information on new capabilities that are generally available, see What's new in Microsoft Defender ATP.
Preview features
The following features are included in the preview release:
Microsoft Defender ATP for Linux
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use
Microsoft Defender ATP for Linux.
Threat & Vulnerability Management API support
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure
score or device secure score, software and machine vulnerability inventory, software version distribution,
machine vulnerability information, security recommendation information.
Threat & Vulnerability supported operating systems and platforms
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so
the activities in your devices are properly accounted for. Threat & Vulnerability Management supports
Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server
2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows
Server 2012R2, Windows Server 2016, and Windows Server 2019. See Secure Configuration Assessment
(SCA) for Windows Server now in public preview and Reducing risk with new Threat & Vulnerability
Management capabilities blogs for more information.
Threat & Vulnerability Management granular exploit details
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you
informed decision on your next steps. The threat insights icon now shows more granular details, such as if
the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups
for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation
news, disclosures, or related security advisories.
Threat & Vulnerability Management Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated
security recommendation, software inventory, and discovered vulnerabilities.
Machine health and compliance report
The machine health and compliance report provides high-level information about the devices in your
organization.
Information protection
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection
to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is
seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss
prevention (DLP) solution for Windows devices.
NOTE
Partially available from Windows 10, version 1809.
NOTE
Available from Windows 10, version 1809 or later.
TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Microsoft Defender ATP data storage and privacy
9/20/2019 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft
Defender ATP.
NOTE
This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related
to Microsoft Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see Microsoft
Privacy Statement. See also Windows 10 privacy FAQ for more information.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts
of potential advanced persistent threat (APT) activity or data breaches.
You can use Microsoft Defender Security Center to:
View, sort, and triage alerts from your endpoints
Search for more information on observed indicators such as files and IP Addresses
Change Microsoft Defender ATP settings, including time zone and review licensing information.
NOTE
Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time
protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table
for a description of each section.
(1) Navigation pane Use the navigation pane to move between Dashboards ,
Incidents , Machines list , Aler ts queue , Automated
investigations , Advanced hunting , Repor ts ,
Interoperability , Threat & vulnerability management ,
Evaluation and tutorials , Ser vice health , Configuration
management , and Settings .
Machines list Displays the list of machines that are onboarded to Microsoft
Defender ATP, some information about them, and the
corresponding number of alerts.
Repor ts View graphs detailing alert trends over time, and alert
summary charts categorizing threats by severity, status, and
attack approach
Threat & Vulnerability management View your configuration score, exposure score, exposed
machines, vulnerable software, and take action on top security
recommendations.
Evaluation and tutorials Manage test machines, attack simulations, and reports. Learn
and experience the Microsoft Defender ATP capabilities
through a guided walkthrough in a trial environment.
A REA DESC RIP T IO N
Ser vice health Provides information on the current status of the Window
Defender ATP service. You'll be able to verify that the service
health is healthy or if there are current issues.
Settings Shows the settings you selected during onboarding and lets
you update your industry preferences and retention policy
period. You can also set other configuration settings such as
email notifications, activate the preview experience, enable or
turn off advanced features, SIEM integration, threat intel API,
build Power BI reports, and set baselines for the Secure Score
dashboard.
(2) Main por tal Main area where you will see the different views such as the
Dashboards, Alerts queue, and Machines list.
(3) Community center, Localization, Help and Community center -Access the Community center to learn,
suppor t, Feedback collaborate, and share experiences about the product.
Time settings - Gives you access to the configuration
settings where you can set time zones and view license
information.
NOTE
For devices with high resolution DPI scaling issues, please see Windows scaling issues for high-DPI devices for possible
solutions.
IC O N DESC RIP T IO N
Machine icon
Response action
Process events
Network events
File events
Registry events
Other events
File creation
Signer
File path
Command line
IC O N DESC RIP T IO N
Unsigned file
Process tree
Memory allocation
Process injection
Community center
Notifications
Related topics
Understand the Microsoft Defender Advanced Threat Protection portal
View the Security operations dashboard
View the Threat & Vulnerability Management dashboard
View the Threat analytics dashboard and take recommended mitigation actions
Microsoft Defender ATP for US Government GCC
High customers
11/19/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud
High (GCC High) customers, built in the US Azure Government environment, uses the same underlying
technologies as Microsoft Defender ATP in Azure Commercial.
This offering is currently available to US Office 365 GCC High customers and is based on the same prevention,
detection, investigation, and remediation as the commercial version. However, there are some key differences in the
availability of capabilities for this offering.
Endpoint versions
The following OS versions are supported:
Windows 10, version 1903
Windows 10, version 1809 (OS Build 17763.404 with KB4490481)
Windows 10, version 1803 (OS Build 17134.799 with KB4499183)
Windows 10, version 1709 (OS Build 16299.1182 with KB4499147)
Windows Server, 2019 (with KB4490481)
NOTE
A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct
environment.
Email notifications
Not currently available.
Integrations
Integrations with the following Microsoft products are not currently available:
Azure Security Center
Azure Advanced Threat Protection
Azure Information Protection
Office 365 Advanced Threat Protection
Microsoft Cloud App Security
Skype for Business
Microsoft Intune (sharing of device information and enhanced policy enforcement)
SERVIC E LO C AT IO N DN S REC O RD
Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP)
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome
environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to
the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during
the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment
configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing
the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type
of configuration that best suits your needs.
After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test
machines come pre-configured to have the latest and greatest OS versions with the right security components in
place and Office 2019 Standard installed.
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made
simulations to see how Microsoft Defender ATP performs.
You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced
hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP
offers.
When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation
guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat
protection product.
It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough
assessment of the platform.
NOTE
Each environment is provisioned with a limited set of test machines.
Depending the type of environment structure you select, machines will be available for the specified number of hours
from the day of activation.
When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the
available test machine count.
Given the limited resources, it’s advisable to use the machines carefully.
2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a
longer period or more machines for a shorter period. Select your preferred lab configuration then select
Create lab .
When the environment completes the setup process, you're ready to add machines.
Add machines
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with
connection details. You can add Windows 10 or Windows Server 2019 machines.
The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as
other apps such as Java, Python, and SysIntenals.
The machine will automatically be onboarded to your tenant with the recommended Windows security
components turned on and in audit mode - with no effort on your side.
The following security components are pre-configured in the test machines:
Attack Surface Reduction
Block at first sight
Controlled Folder Access
Exploit Protection
Network Protection
Potentially unwanted application detection
Cloud-delivered protection
Windows Defender SmartScreen
NOTE
Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your
simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see
Configure always-on protection.
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated
by default. For more information, see Overview of Automated investigations.
NOTE
The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
NOTE
If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new
request. If the machine creation fails, it will not be counted against the overall allowed quota.
3. The connection details are displayed. Select Copy to save the password for the machine.
NOTE
The password is only displayed once. Be sure to save it for later use.
4. Machine set up begins. This can take up to approximately 30 minutes.
The environment will reflect your test machine status through the evaluation - including risk score, exposure score,
and alerts created through the simulation.
Simulate attack scenarios
Use the test machines to run attack simulations by connecting to them.
If you are looking for a pre-made simulation, you can use our "Do It Yourself" attack scenarios. These scripts are
safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you
through investigation experience.
You can also use Advanced hunting to query data and Threat analytics to view reports about emerging threats.
NOTE
The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
NOTE
If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting
Reset password from the menu:
The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in
a few minutes.
3. Enter the password that was displayed during the machine creation step.
4. Run simulations on the machine.
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft
Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the
evidence collected and analyzed by the feature.
Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check
out some world-wide threats documented in Threat analytics.
Simulation results
Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with
every detail you need.
View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant
alerts and investigations by exploring the rich context provided on the attack simulation.
Evaluation report
The lab reports summarize the results of the simulations conducted on the machines.
Provide feedback
Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience
and impressions from product capabilities and evaluation results.
Let us know what you think, by selecting Provide feedback .
Plan your Microsoft Defender ATP deployment
strategy
3/11/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Depending on the requirements of your environment, we've put together material to help guide you through the
various options you can adopt to deploy Microsoft Defender ATP.
You can deploy Microsoft Defender ATP using various management tools. In general the following management
tools are supported:
Group policy
Microsoft Endpoint Configuration Manager
Mobile Device Management tools
Local script
IT EM DESC RIP T IO N
PDF | Visio
Related topics
Deployment phases
Deployment phases
3/11/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
There are three phases in deploying Microsoft Defender ATP:
P H A SE DESRIP T IO N
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
There are several methods you can use to onboard to the service. For information on other ways to onboard, see
Onboard machines to Microsoft Defender ATP.
In Scope
The following is in scope for this deployment guide:
Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
Enabling Microsoft Defender ATP endpoint protection platform (EPP) capabilities
Next Generation Protection
Attack Surface Reduction
Enabling Microsoft Defender ATP endpoint detection and response (EDR) capabilities including automatic
investigation and remediation
Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
Out of scope
The following are out of scope of this deployment guide:
Configuration of third-party solutions that might integrate with Microsoft Defender ATP
Penetration testing in production environment
Prepare Microsoft Defender ATP deployment
4/2/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Deploying Microsoft Defender ATP is a three-phase process:
NAME RO L E A C T IO N
Environment
This section is used to ensure your environment is deeply understood by the stakeholders which will help identify
potential dependencies and/or changes required in technologies or processes.
W H AT DESC RIP T IO N
Endpoint count
Server count
Management engine
CDOC distribution
A Z URE A D RO L E ( IF
P ERSO N A S RO L ES REQ UIRED) A SSIGN TO
Security Administrator
Security Analyst
Endpoint Administrator
Infrastructure Administrator
Business Owner/Stakeholder
Microsoft recommends using Privileged Identity Management to manage your roles to provide additional auditing,
control, and access review for users with directory permissions.
Microsoft Defender ATP supports two ways to manage permissions:
Basic permissions management : Set permissions to either full access or read-only. In the case of basic
permissions management users with Global Administrator or Security Administrator role in Azure Active
Directory have full access while the Security reader role has read-only access.
Role-based access control (RBAC) : Set granular permissions by defining roles, assigning Azure AD user
groups to the roles, and granting the user groups access to machine groups. For more information. see
Manage portal access using role-based access control.
Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access
Microsoft Defender ATP.
You can find details on permission guidelines here.
The following example table serves to identify the Cyber Defense Operations Center structure in your environment
that will help you determine the RBAC structure required for your environment.
Adoption Order
In many cases, organizations will have existing endpoint security products in place. The bare minimum every
organization should have is an antivirus solution. But in some cases, an organization might also have implanted an
EDR solution already.
Historically, replacing any security solution used to be time intensive and difficult to achieve due to the tight hooks
into the application layer and infrastructure dependencies. However, because Microsoft Defender ATP is built into
the operating system, replacing third-party solutions is now easy to achieve.
Choose the component of Microsoft Defender ATP to be used and remove the ones that do not apply. The table
below indicates the order Microsoft recommends for how the endpoint security suite should be enabled.
Auto Investigation & Remediation (AIR) Microsoft Defender ATP uses Not applicable
Automated investigations to
significantly reduce the volume of alerts
that need to be investigated
individually. The Automated
investigation feature leverages various
inspection algorithms, and processes
used by analysts (such as playbooks) to
examine alerts and take immediate
remediation action to resolve breaches.
This significantly reduces alert volume,
allowing security operations experts to
focus on more sophisticated threats
and other high value initiatives. Learn
more.
Microsoft Threat Experts (MTE) Microsoft Threat Experts is a managed Not applicable
hunting service that provides Security
Operation Centers (SOCs) with expert
level monitoring and analysis to help
them ensure that critical threats in their
unique environments don't get missed.
Learn more.
Next step
Set up Microsoft Defender ATP deployment
Phase 2: Setup
Set up Microsoft Defender ATP deployment
4/2/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Deploying Microsoft Defender ATP is a three-phase process:
NOTE
For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint
Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those
scenarios in the deployment guide. For more information, see Onboard machines to Microsoft Defender ATP.
Tenant Configuration
When accessing Microsoft Defender Security Center for the first time there will be a set up wizard that will guide
you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft
Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
1. From a web browser, navigate to https://securitycenter.windows.com.
2. If going through a TRIAL license, go to the link (https://signup.microsoft.com/Signup?OfferId=6033e4b5-
c320-4008-a936-909c2825d83c&dl=WIN_DEF_ATP&pc=xxxxxxx-xxxxxx-xxx-x)
Once the authorization step is completed, the Welcome screen will be displayed.
3. Go through the authorization steps.
4. Set up preferences.
Data storage location - It's important to set this up correctly. Determine where the customer wants to be
primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not
transfer the data from the specified geolocation.
Data retention - The default is 6 months.
Enable preview features - The default is on, can be changed later.
5. Select Next .
6. Select Continue .
Network configuration
If the organization does not require the endpoints to use a Proxy to access the Internet, skip this section.
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service. The embedded Microsoft Defender ATP sensor runs in the
system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to
enable communication with the Microsoft Defender ATP cloud service. The WinHTTP configuration setting is
independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy
server by using the following discovery methods:
Auto-discover y methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD)
If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special
configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see the
Appendix section in this document for the URLs Whitelisting or on Microsoft Docs.
Manual static proxy configuration:
Registry based configuration
WinHTTP configured using netsh command
Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the
same proxy)
Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and
communicate with Microsoft Defender ATP services if a computer is not permitted to connect to the Internet. The
static proxy is configurable through Group Policy (GP). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure
Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
3. Edit the Group Policy and navigate to Administrative Templates > Windows Components > Data
Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User
Experience and Telemetr y Ser vice .
4. Select Enabled .
5. Select Disable Authenticated Proxy usage .
6. Navigate to Administrative Templates > Windows Components > Data Collection and Preview
Builds > Configure connected user experiences and telemetr y .
7. Select Enabled .
8. Enter the Proxy Ser ver Name .
The policy sets two registry values TelemetryProxyServer as REG_SZ and DisableEnterpriseAuthProxy as
REG_DWORD under the registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection .
The registry value TelemetryProxyServer takes the following string format:
NOTE
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-
based static proxy configuration.
SERVIC E LO C AT IO N M IC RO SO F T. C O M DN S REC O RD
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system
context, make sure anonymous traffic is permitted in the previously listed URLs.
Microsoft Defender ATP service backend IP range
If you network devices don't support the URLs white-listed in the prior section, you can use the following
information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
+<Region Name="uswestcentral">
+<Region Name="useast2">
+<Region Name="useast">
+<Region Name="europenorth">
+<Region Name="europewest">
+<Region Name="uksouth">
+<Region Name="ukwest">
You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.
NOTE
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
Next step
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Deploying Microsoft Defender ATP is a three-phase process:
5. Click Next on the Direct Membership Wizard and click on Edit Quer y Statement .
After completing this task, you now have a device collection with all the Windows 10 endpoints in the
environment.
7. Enter the name and description, verify Onboarding is selected, then select Next .
8. Click Browse .
9. Navigate to the location of the downloaded file from step 4 above.
16. On the right panel, select the previously created collection and click OK .
Previous versions of Windows Client (Windows 7 and Windows 8.1)
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be
required for the onboarding of previous versions of Windows.
1. From a Microsoft Defender Security Center Portal, select Settings > Onboarding .
2. Under operating system choose Windows 7 SP1 and 8.1 .
3. Copy the Workspace ID and Workspace Key and save them. They will be used later in the process.
Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain
the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the
deployment method, this step may have already been completed.
Edit the InstallMMA.cmd with a text editor, such as notepad and update the following lines and save the file:
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the
file:
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows
Operating Systems:
Server SKUs: Windows Server 2008 SP1 or Newer
Client SKUs: Windows 7 SP1 and later
The MMA agent will need to be installed on Windows devices. To install the agent, some systems will need to
download the Update for customer experience and diagnostic telemetry in order to collect the data with MMA.
These system versions include but may not be limited to:
Windows 8.1
Windows 7
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2
Specifically, for Windows 7 SP1, the following patches must be installed:
Install KB4074598
Install either .NET Framework 4.5 (or later) or KB3154518. Do not install both on the same system.
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps below to utilize the provided
batch files to onboard the systems. The CMD file when executed, will require the system to copy files from a
network share by the System, the System will install MMA, Install the DependencyAgent, and configure MMA for
enrollment into the workspace.
1. In Microsoft Endpoint Configuration Manager console, navigate to Software Librar y .
2. Expand Application Management .
3. Right-click Packages then select Create Package .
4. Provide a Name for the package, then click Next
6. Click Next .
7. Enter a program name.
8. Browse to the location of the InstallMMA.cmd.
9. Set Run to Hidden .
10. Set Program can run to Whether or not a user is logged on .
11. Click Next .
12. Set the Maximum allowed run time to 720.
13. Click Next .
2. Select Scheduled scans , Scan settings , Default actions , Real-time protection , Exclusion settings ,
Advanced , Threat overrides , Cloud Protection Ser vice and Security intelligence updates and
choose OK .
In certain industries or some select enterprise customers might have specific needs on how Antivirus is
configured.
Quick scan versus full scan and custom scan
For more details, see Windows Security configuration framework
3. Right-click on the newly created antimalware policy and select Deploy .
4. Target the new antimalware policy to your Windows 10 collection and click OK .
After completing this task, you now have successfully configured Windows Defender Antivirus.
Attack surface reduction
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit
Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit Protection.
All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does
is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a
deployment is to step-by-step move security controls into block mode.
To set ASR rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance >
Over view > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit
Guard Policy .
After completing this task, you now have successfully configured ASR rules in audit mode.
Below are additional steps to verify whether ASR rules are correctly applied to endpoints. (This may take few
minutes)
1. From a web browser, navigate to https://securitycenter.windows.com.
2. Select Configuration management from left side menu.
3. Click Go to attack surface management in the Attack surface management panel.
4. Click Configuration tab in Attack Surface reduction rules reports. It shows ASR rules configuration
overview and ASR rules status on each devices.
5. Click each device shows configuration details of ASR rules.
See Optimize ASR rule deployment and detections for more details.
To set Network Protection rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance >
Over view > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit
Guard Policy .
2. Select Network protection .
3. Set the setting to Audit and click Next .
7. Select the policy to the newly created Windows 10 collection and choose OK .
After completing this task, you now have successfully configured Network Protection in audit mode.
To set Controlled Folder Access rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance >
Over view > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit
Guard Policy .
2. Select Controlled folder access .
3. Set the configuration to Audit and click Next .
4. Confirm the new Exploit Guard Policy by clicking on Next .
5. Once the policy is created click on Close .
After completing this task, you now have successfully configured Controlled folder access in audit mode.
Threat & Vulnerability Management
3/31/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security
program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for
reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the
need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your
organization, sensitive information on vulnerable devices, and business context.
Watch this video for a quick overview of Threat & Vulnerability Management.
Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft
endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
It is the first solution in the industry to bridge the gap between security administration and IT administration
during remediation process. It does so by creating a security task or ticket through integration with Microsoft
Intune and Microsoft Microsoft Endpoint Configuration Manager.
It provides the following solutions to frequently-cited gaps across security operations, security administration,
and IT administration workflows and communication.
Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
Linked machine vulnerability and security configuration assessment data in the context of exposure
discovery
Built-in remediation processes through Microsoft Intune and Configuration Manager
Real-time discovery
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same
agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and
provides:
Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push
vulnerability and security configuration data to the dashboard.
Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software
changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with
actionable mitigation recommendations for 1st and 3rd party applications.
Application runtime context. Visibility on application usage patterns for better prioritization and decision-
making.
Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are
reported in the dashboard with actionable security recommendations.
Intelligence -driven prioritization
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the
most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores,
Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that
need attention by fusing its security recommendations with dynamic threat and business context:
Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat
& Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus
on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest
risk.
Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR
insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an
active breach within the organization.
Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows
Threat & Vulnerability Management to identify the exposed machines with business-critical applications,
confidential data, or high-value users.
Seamless remediation
Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT
administrators to collaborate seamlessly to remediate issues.
Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and
Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in
Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT
security management platforms.
Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such
as configuration changes that can reduce risk associated with software vulnerabilities.
Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and
progress of remediation activities across the organization.
NOTE
Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating
systems and detects vulnerabilities addressed in patch Tuesday.
Have the following mandatory updates installed and deployed in your network to boost your vulnerability
assessment detection rates:
Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using
Configuration Manager, update your console to the latest version.
Have at least one security recommendation that can be viewed in the machine page
Are tagged or marked as co-managed
Related topics
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover,
prioritize, and remediate vulnerabilities in real time
Threat & Vulnerability Management supported
operating systems and platforms
4/9/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Before you begin, ensure that you meet the following operating system or platform requisites for Threat &
Vulnerability Management so the activities in your devices are properly accounted for.
Some of the above prerequisites might be different from the Minimum requirements for Microsoft Defender ATP
list.
Related topics
Threat & Vulnerability Management overview
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Threat & Vulnerability Management dashboard
insights
4/9/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security
administrators and security operations teams with unique value, including:
Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
Invaluable machine vulnerability context during incident investigations
Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager
You can use the Threat & Vulnerability Management capability in Microsoft Defender Security Center to:
View exposure and configuration scores side-by-side with top security recommendations, software
vulnerability, remediation activities, and exposed machines
Correlate EDR insights with endpoint vulnerabilities and process them
Select remediation options, triage and track the remediation tasks
Select exception options and track active exceptions
NOTE
Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat &
Vulnerability Management exposure score and configuration score.
Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
Selected machine groups (#/#) Filter the Threat & Vulnerability Management data you want
to see in the dashboard and cards by machine groups. What
you select in the filter applies throughout the Threat &
Vulnerability management pages.
Exposure score See the current state of your organization's device exposure
to threats and vulnerabilities. Several factors affect your
organization's exposure score: weaknesses discovered in your
devices, likelihood of your devices to be breached, value of
the devices to your organization, and relevant alerts
discovered with your devices. The goal is to lower the
exposure score of your organization to be more secure. To
reduce the score, you need to remediate the related security
configuration issues listed in the security recommendations.
Machine exposure distribution See how many machines are exposed based on their
exposure level. Select a section in the doughnut chart to go
to the Machines list page and view the affected machine
names, exposure level, risk level, and other details such as
domain, operating system platform, its health state, when it
was last seen, and its tags.
Top security recommendations See the collated security recommendations which are sorted
and prioritized based on your organization's risk exposure
and the urgency that it requires. Select Show more to see
the rest of the security recommendations in the list or Show
exceptions for the list of recommendations that have an
exception.
Top vulnerable software Get real-time visibility into your organization's software
inventory with a stack-ranked list of vulnerable software
installed on your network's devices and how they impact
your organizational exposure score. Select an item for details
or Show more to see the rest of the vulnerable software list
in the Software inventor y page.
Top remediation activities Track the remediation activities generated from the security
recommendations. You can select each item on the list to see
the details in the Remediation page or select Show more
to view the rest of the remediation activities, and active
exceptions.
Top exposed machines View exposed machine names and their exposure level.
Select a machine name from the list to go to the machine
page where you can view the alerts, risks, incidents, security
recommendations, installed software, and discovered
vulnerabilities associated with the exposed machines. Select
Show more to see the rest of the exposed machines list.
From the machines list, you can manage tags, initiate
automated investigations, initiate a live response session,
collect an investigation package, run antivirus scan, restrict
app execution, and isolate machine.
See Microsoft Defender ATP icons for more information on the icons used throughout the portal.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Exposure score
3/31/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Your Exposure score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender
Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score
means your machines are less vulnerable from exploitation.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a
visual indication of a high cybersecurity threat exposure that you can investigate further.
How it works
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how
exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following
factors:
Weaknesses, such as vulnerabilities discovered on the device
External and internal threats such as public exploit code and security alerts
Likelihood of the device to get breached given its current security posture
Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
0–29: low exposure score
30–69: medium exposure score
70–100: high exposure score
You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each
software has weaknesses that are transformed into recommendations and prioritized based on risk to the
organization.
3. Select Installed machines and then the affected machine from the list. A flyout panel will open with the
relevant machine details, exposure and risk levels, alert and incident activities.
4. Click Open machine page to connect to the machine and apply the selected recommendation. See
Investigate machines in the Microsoft Defender ATP Machines list for details.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Configuration score
3/31/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft
Defender Security Center. A higher configuration score means your endpoints are more resilient from
cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the
following categories:
Application
Operating system
Network
Accounts
Security controls
Select a category to go to the Security recommendations page and view the relevant recommendations.
How it works
NOTE
Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support,
configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator
to verify the actual configuration status in case your organization is using Intune for secure configuration management.
The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery
process aggregated with configuration discovery assessments that continuously:
Compare collected configurations to the collected benchmarks to discover misconfigured assets
Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research
teams)
Collect and monitor changes of security control configuration state from all assets
3. Read the description to understand the context of the issue and what to do next. Select a due date, add
notes, and select Expor t all remediation activity data to CSV so you can attach it to an email for
follow-up.
4. Submit request . You will see a confirmation message that the remediation task has been created.
6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the
remediation to propagate in the system.
7. Review the Configuration score card again on the dashboard. The number of security controls
recommendations will decrease. When you select Security controls to go back to the Security
recommendations page, the item that you have addressed will not be listed there anymore, and your
configuration score should increase.
IMPORTANT
To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy
them in your network:
19H1 customers | KB 4512941
RS5 customers | KB 4516077
RS4 customers | KB 4516045
RS3 customers | KB 4516071
To download the security updates:
1. Go to Microsoft Update Catalog.
2. Key-in the security update KB number that you need to download, then click Search .
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Security recommendations
4/9/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations
and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate
vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into
the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration
Manager. When the threat landscape changes, the recommendation also changes as it continuously collects
information from your environment.
How it works
Each machine in the organization is scored based on three important factors to help customers to focus on the
right things at the right time.
Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach
history. Based on these factors, the security recommendations shows the corresponding links to active
alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
Breach likelihood - Your organization's security posture and resilience against threats
Business value - Your organization's assets, critical processes, and intellectual properties
The top security recommendations lists the improvement opportunities prioritized based on the important
factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a
recommendation will take you to the security recommendations page with more details about the
recommendation.
recommendation insights
Investigate
Select the security recommendation that you want to investigate or process.
Request remediation
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security
and IT administrators through the remediation request workflow. Security admins like you can request for the IT
Administrator to remediate a vulnerability from the Security recommendation pages to Intune.
Enable Microsoft Intune connection
To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center,
navigate to Settings > General > Advanced features . Scroll down and look for Microsoft Intune
connection . By default, the toggle is turned off. Turn your Microsoft Intune connection toggle On .
See Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP for details.
Remediation request steps
1. Select a security recommendation you would like to request remediation for, and then select
Remediation options .
2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes.
Select Submit request . Submitting a remediation request creates a remediation activity item within
Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this
recommendation. This will not trigger a remediation or apply any changes to machines.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject
the request and start a package deployment.
4. Go to the Remediation page to view the status of your remediation request.
If you want to check how the ticket shows up in Intune, see Use Intune to remediate vulnerabilities identified by
Microsoft Defender ATP for details.
NOTE
If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to
Intune.
Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security
recommendation information.
1. Open the Security recommendation.
2. Select the three dots beside the security recommendation that you want to report, then select Repor t
inaccuracy .
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email
address, and details regarding the inaccuracy.
4. Select Submit . Your feedback is immediately sent to the Threat & Vulnerability Management experts.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Remediation and exception
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Remediation activities and exceptions
4/6/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
To use this capability, enable your Microsoft Intune connections. Navigate to Settings > General > Advanced
features . Scroll down and look for Microsoft Intune connection . By default, the toggle is turned off. Turn your
Microsoft Intune connection toggle on.
After your organization's cybersecurity weaknesses are identified and mapped to actionable security
recommendations, start creating security tasks through the integration with Microsoft Intune where remediation
tickets are created.
Lower your organization's exposure from vulnerabilities and increase your security configuration by
remediating the security recommendations.
Exceptions
When you file for an exception from the Security recommendations page, you create an exception for that
security recommendation. You can file exceptions to exclude certain recommendation from showing up in
reports and affecting your configuration score.
The exceptions you've filed will show up in the Remediation page, in the Exceptions tab. You can filter your
view based on exception justification, type, and status.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Software inventory
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Software inventory
4/9/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the Software
inventor y page. The software inventory includes the name of the product or vendor, the latest version it is in,
and the number of weaknesses and vulnerabilities detected with it.
How it works
In the field of discovery, we are leveraging the same set of signals that is responsible for detection and
vulnerability assessment in Microsoft Defender ATP endpoint detection and response capabilities.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The
engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular
software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's
available.
Software pages
Once you are in the Software inventory page and have opened the flyout panel by selecting a software to
investigate, select Open software page (see image in the previous section). A full page will appear with all the
details of a specific software and the following information:
Side panel with vendor information, prevalence of the software in the organization (including number of
machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and
impact to your exposure score
Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also,
graphs of the number of exposed machines
Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities
identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is
installed on, and the specific versions of the software with the number of machines that have each version
installed and number of vulnerabilities.
Software evidence
We now show evidence of where we detected a specific software on a machine from the registry, disk or both
machine on where we detected a certain software. You can find it on any machines found in the machines list in
a section called "Software Evidence."
From the Microsoft Defender Security Center navigation panel, go to Machines list > select the name of a
machine to open the machine page (like Computer1) > select the Software inventor y tab > select the software
name to open the flyout and view software evidence.
Report inaccuracy
You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated
software inventory information.
1. Open the software flyout on the Software inventory page.
2. Select Repor t inaccuracy .
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address,
and details regarding the inaccuracy.
4. Select Submit . Your feedback is immediately sent to the Threat & Vulnerability Management experts.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Remediation and exception
Weaknesses
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Weaknesses
4/9/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection
to scan and detect vulnerabilities.
The Weaknesses page lists down the vulnerabilities found in the infected software running in your organization
by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring
System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
IMPORTANT
To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and
deploy them in your network:
19H1 customers | KB 4512941
RS5 customers | KB 4516077
RS4 customers | KB 4516045
RS3 customers | KB 4516071
3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits
available, severity level, CVSS v3 rating, publishing and update dates.
To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then click search.
Weaknesses overview
If the Exposed Machines column shows 0, that means you are not at risk. If exposed machines exist, the next
step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.
NOTE
Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the
threat insight icon and breach insight icon .
The breach insights icon is highlighted if there is a vulnerability found in your organization.
The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your
organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced
persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-
day exploitation news, disclosures, or related security advisories.
View Common Vulnerabilities and Exposures (CVE) entries in other
places
Top vulnerable software in the dashboard
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the Top vulnerable software
widget. You will see the number of vulnerabilities found in each software along with threat information and a
high-level view of the device exposure trend over time.
2. Select the software that you want to investigate to go a drill down page.
3. Select the Discovered vulnerabilities tab.
4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details,
such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as:
vulnerability description, threat insights, and detection logic.
CVE Detection logic
Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that
it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page)
that shows the detection logic and source.
Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security
recommendation information.
1. Open the CVE on the Weaknesses page.
2. Select Repor t inaccuracy .
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address,
and details regarding the inaccuracy.
4. Select Submit . Your feedback is immediately sent to the Threat & Vulnerability Management experts.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Scenarios
APIs
Configure data access for Threat & Vulnerability Management roles
Threat & Vulnerability Management scenarios
4/9/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
APIs
Threat and Vulnerability Management supports multiple APIs. Microsoft Defender Advanced Threat Protection
(ATP) Threat & Vulnerability Management APIs are soon to be generally available. See the following topics for
related APIs:
Supported Microsoft Defender ATP APIs
Machine APIs
Recommendation APIs
Score APIs
Software APIs
Vulnerability APIs
Use advanced hunting query to search for machines with High active
alerts or critical CVE public exploit
1. Go to Advanced hunting from the left-hand navigation pane of the Microsoft Defender Security Center.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
3. Enter the following queries:
// Search for machines with High active alerts or Critical CVE public exploit
DeviceTvmSoftwareInventoryVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
| summarize NumOfVulnerabilities=dcount(CveId),
DeviceName=any(DeviceName) by DeviceId
| join kind =inner(DeviceAlertEvents) on DeviceId
| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
| order by NumOfVulnerabilities desc
3. You will see a list recommendations related to software that is end of support, software versions that are
end of support, or upcoming end of support versions. These tags are also visible in the software inventory
page.
3. Select one of the versions in the table to open. For example, version 3.5.2150.0. A flyout will appear with
the end of support date.
After you have identified which software and software versions are vulnerable due to its end-of-support status,
remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See
Remediation and exception for details.
Related topics
Threat & Vulnerability Management overview
Supported operating systems and platforms
Threat & Vulnerability Management dashboard
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
APIs
Configure data access for Threat & Vulnerability Management roles
Advanced hunting overview
All advanced hunting tables
Overview of attack surface reduction
3/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats
and attacks. Use the following resources to configure protection for the devices and applications in your
organization.
A RT IC L E DESC RIP T IO N
Hardware-based isolation Protect and maintain the integrity of a system as it starts and
while it's running. Validate system integrity through local and
remote attestation. And, use container isolation for Microsoft
Edge to help guard against malicious websites.
Application control Use application control so that your applications must earn
trust in order to run.
Exploit protection Help protect operating systems and apps your organization
uses from being exploited. Exploit protection also works with
third-party antivirus solutions.
Web protection Secure your machines against web threats and help you
regulate unwanted content.
Controlled folder access Help prevent malicious or suspicious apps (including file-
encrypting ransomware malware) from making changes to
files in your key system folders (Requires Windows Defender
Antivirus)
Attack surface reduction FAQ Frequently asked questions about Attack surface reduction
rules, licensing, and more.
Evaluate attack surface reduction rules
3/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or
networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows
Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your
organization.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
TIP
If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management
tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main
Attack surface reduction rules topic.
Related topics
Reduce attack surfaces with attack surface reduction rules
Use audit mode to evaluate Windows Defender
Attack surface reduction FAQ
Configure attack surface reduction
2/7/2020 • 2 minutes to read • Edit Online
You can configure attack surface reduction with a number of tools, including:
Microsoft Intune
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the
applicable configuration tool (or tools).
In this section
TO P IC DESC RIP T IO N
Enable hardware-based isolation for Microsoft Edge How to prepare for and install Application Guard, including
hardware and software requirements
Enable application control How to control applications run by users and protect kernel
mode processes
Network protection How to prevent users from using any apps to access
dangerous domains
Controlled folder access How to protect valuable data from malicious apps
Attack surface reduction How to prevent actions and apps that are typically used by
exploit-seeking malware
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Is attack surface reduction (ASR) par t of Windows?
ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows
Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware
component of Windows. However, please note that the full ASR feature-set is only available with a Windows
enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus
exclusions.
Do I need to have an enterprise license to run ASR rules?
The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A
limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows
Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR
usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available.
Is ASR suppor ted if I have an E3 license?
Yes. ASR is supported for Windows Enterprise E3 and above. See Use attack surface reduction rules in Windows 10
Enterprise E3 for more details.
Which features are suppor ted with an E5 license?
All of the rules supported with E3 are also supported with E5.
E5 also added greater integration with Microsoft Defender ATP. With E5, you can use Microsoft Defender ATP to
monitor and review analytics on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of
event reports.
What are the the currently suppor ted ASR rules??
ASR currently supports all of the rules below:
Block executable content from email client and webmail
Block all Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Block JavaScript or VBScript from launching downloaded executable content
Block execution of potentially obfuscated scripts
Block Win32 API calls from Office macro
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Block Office communication applications from creating child processes
Block Adobe Reader from creating child processes
Block persistence through WMI event subscription
What are some good recommendations for getting star ted with ASR?
It is generally best to first test how ASR rules will impact your organization before enabling them, by running them
in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-
of-business applications that might get blocked erroneously, and exclude them from ASR.
Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in
increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a
Group Policy management tool.
How long should I test an ASR rule in audit mode before enabling it?
You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how
the rule will operate once it goes live throughout your organization. During the audit period, you can identify any
line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
I'm making the switch from a third-par ty security solution to Microsoft Defender ATP. Is there an
"easy" way to expor t rules from another security solution to ASR?
Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer
to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use
tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The
default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a
large number of exploits and vulnerabilities.
From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block
certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder
exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-
business applications that might get blocked.
Does ASR suppor t file or folder exclusions that include system variables and wildcards in the path?
Yes. See Excluding files and folders from ASR rules for more details on excluding files or folders from ASR rules,
and Configure and validate exclusions based on file extension and folder location for more on using system
variables and wildcards in excluded file paths.
Do ASR rules cover all applications by default?
It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word,
Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as Block execution of potentially obfuscated
scripts, are more general in scope.
Does ASR suppor t third-par ty security solutions?
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another
security solution for blocking at this time.
I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it
possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft
Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search
box. You can also view ASR events by visiting Go to attack surface management , from the Configuration
management icon in the Security Center taskbar. The attack surface management page includes a tab for report
detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
I applied a rule using GPO. Now when I tr y to check the indexing options for the rule in Microsoft
Outlook , I get a message stating, 'Access denied'.
Try opening the indexing options directly from Windows 10.
1. Select the Search icon on the Windows taskbar.
2. Enter Indexing options into the search box.
Are the criteria used by the rule, Block executable files from running unless they meet a prevalence,
age, or trusted list criterion , configurable by an admin?
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly
up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If
you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the
exclusions list to prevent the rule from being triggered.
I enabled the ASR rule, Block executable files from running unless they meet a prevalence, age, or
trusted list criterion . After some time, I updated a piece of software, and the rule is now blocking it,
even though it didn't before. Did something go wrong?
This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a
list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud
protection's assessment of these criteria.
Usually, cloud protection can determine that a new version of an application is similar enough to previous versions
that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation
after switching versions, particularly after a major update. In the meantime, you can add the application to the
exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and
working with very new versions of applications, you may opt instead to run this rule in audit mode.
I recently enabled the ASR rule, Block credential stealing from the Windows local security authority
subsystem (lsass.exe) , and I am getting a large number of notifications. What is going on?
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful
for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe
process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate
users and apply local security policies.
Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can
be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of
notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of
notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal
functioning.
Is it a good idea to enable the rule, Block credential stealing from the Windows local security
authority subsystem (lsass.exe) , alongside LSA protection?
Enabling this rule will not provide additional protection if you have LSA protection enabled as well. Both the rule
and LSA protection work in much the same way, so having both running at the same time would be redundant.
However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to
provide equivalent protection against malware that target lsass.exe.
Related topics
Attack surface reduction overview
Evaluate attack surface reduction rules
Customize attack surface reduction rules
Enable attack surface reduction rules
Compatibility of Microsoft Defender with other antivirus/antimalware
Reduce attack surfaces with attack surface reduction
rules
4/3/2020 • 13 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Your attack surface is the total number of places where an attacker could compromise your organization's
devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
Launching executable files and scripts that attempt to download or run files
Running obfuscated or otherwise suspicious scripts
Performing behaviors that apps don't usually initiate during normal day-to-day work
These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they
are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors
and help keep your organization safe.
Use audit mode to evaluate how attack surface reduction rules would impact your organization if they were
enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business
applications. Many line-of-business applications are written with limited security concerns, and they may
perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for
necessary applications, you can deploy attack surface reduction rules without impacting productivity.
Whenever a rule is triggered, a notification will be displayed on the device. You can customize the notification
with your company details and contact information. The notification also displays within the Microsoft Defender
Security Center and the Microsoft 365 security center.
For more information about configuring attack surface reduction rules, see Enable attack surface reduction rules.
DeviceEvents
| where ActionType startswith 'Asr'
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft
Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this
feature works on all devices with Windows 10 installed.
IMPORTANT
File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1710
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts
This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide
intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious
code harder to read, which prevents close scrutiny by humans and security software.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1710
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macros
This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as calling Win32
APIs to launch malicious shellcode without writing anything directly to disk. Most organizations don't rely on the
ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1710
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in
a trusted list or an exclusion list:
Executable files (such as .exe, .dll, or .scr)
Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are
malicious.
NOTE
You must enable cloud-delivered protection to use this rule.
IMPORTANT
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion
with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses
cloud-delivered protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which
rules or exclusions apply to.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1802
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted
list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system
to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from
running, unless they're in a trusted list or an exclusion list.
NOTE
You must enable cloud-delivered protection to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1802
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem
This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows
10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable
Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or
other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like
Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
NOTE
In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This
rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of
noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log
entry doesn't necessarily indicate a malicious threat.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands
This rule blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely
execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to
spread an infection throughout an organization's network.
WARNING
Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with
management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the
Configuration Manager client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable
drives, including SD cards. Blocked file types include:
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration
Manager CB 1802
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes, while till allowing legitimate Outlook functions.
This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in
Outlook. It also protects against Outlook rules and forms exploits that attackers can use when a user's
credentials are compromised.
NOTE
This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not yet available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes
This rule prevents attacks by blocking Adobe Reader from creating additional processes.
Through social engineering or exploits, malware can download and launch additional payloads and break out of
Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it
as a vector are prevented from spreading.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block persistence through WMI event subscription
This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic
execution control. Some threats can abuse the WMI repository and event model to stay hidden.
This rule was introduced in: Windows 10 1903, Windows Server 1903
Intune name: Block persistence through WMI event subscription
Configuration Manager name: Not yet available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
Related topics
Attack surface reduction FAQ
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Compatibility of Microsoft Defender with other antivirus/antimalware
Enable attack surface reduction rules
3/24/2020 • 6 minutes to read • Edit Online
Attack surface reduction rules help prevent actions that malware often abuse to compromise devices and
networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803
or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
Each ASR rule contains three settings:
Not configured: Disable the ASR rule
Block: Enable the ASR rule
Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you
can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender
Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3
license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of these methods:
Microsoft Intune
Mobile Device Management (MDM)
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell
Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended.
Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
WARNING
Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and
no report or event will be recorded.
If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.
IMPORTANT
File and folder exclusions do not apply to the following ASR rules:
Block process creations originating from PSExec and WMI commands
Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't
specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service
starts. For example, if you add an exclusion for an update service that is already running, the update service will
continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see Use
wildcards in the file name and folder path or extension exclusion lists.
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
Intune
1. Select Device configuration > Profiles . Choose an existing endpoint protection profile or create a new
one. To create a new one, select Create profile and enter information for this profile. For Profile type ,
select Endpoint protection . If you've chosen an existing profile, select Proper ties and then select
Settings .
2. In the Endpoint protection pane, select Windows Defender Exploit Guard , then select Attack
Surface Reduction . Select the desired setting for each ASR rule.
3. Under Attack Surface Reduction exceptions , you can enter individual files and folders, or you can
select Impor t to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the
CSV file should be in the following format:
C:\folder, %ProgramFiles%\folder\file, C:\path
4. Select OK on the three configuration panes and then select Create if you're creating a new endpoint
protection file or Save if you're editing an existing one.
MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider
(CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using GUID values for ASR rules.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|
{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-
FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
NOTE
Be sure to enter OMA-URI values without spaces.
Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard .
2. Click Home > Create Exploit Guard Policy .
3. Enter a name and a description, click Attack Surface Reduction , and click Next .
4. Choose which rules will block or audit actions and click Next .
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close .
Group Policy
WARNING
If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management
platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction .
4. Select Configure Attack surface reduction rules and select Enabled . You can then set the individual
state for each rule in the options section:
Click Show... and enter the rule ID in the Value name column and your desired state in the Value
column as follows:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
5. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface
reduction rules setting and set the option to Enabled . Click Show and enter each file or folder in the
Value name column. Enter 0 in the Value column for each item.
PowerShell
WARNING
If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management
platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator .
2. Enter the following cmdlet:
You can also the Add-MpPreference PowerShell verb to add new rules to the existing list.
WARNING
Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, you should
use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference
3. To exclude files and folders from ASR rules, use the following cmdlet:
IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the
existing list.
Related topics
Reduce attack surfaces with attack surface reduction rules
Evaluate attack surface reduction
Attack surface reduction FAQ
Enable cloud-delivered protection
Customize attack surface reduction rules
3/24/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device
or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an
Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of
risky behaviors and improve your organization's defensive posture.
Learn how to customize attack surface reduction rules by excluding files and folders or adding custom text to the
notification alert that appears on a user's computer.
Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server,
version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell,
and MDM CSPs to configure these settings.
WARNING
This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the
protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run,
and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully
qualified domain name for a resource, but you cannot limit an exclusion to a specific rule.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion
for an update service that is already running, the update service will continue to trigger events until the service is
stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards,
see Use wildcards in the file name and folder path or extension exclusion lists. If you are encountering problems
with rules detecting files that you believe should not be detected, you should use audit mode to test the rule.
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
See the attack surface reduction topic for details on each rule.
Use Group Policy to exclude files and folders
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction .
4. Double-click the Exclude files and paths from Attack surface reduction Rules setting and set the
option to Enabled . Click Show and enter each file or folder in the Value name column. Enter 0 in the
Value column for each item.
Use PowerShell to exclude files and folders
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the existing
list.
Related topics
Reduce attack surfaces with attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Attack surface reduction FAQ
Hardware-based isolation in Windows 10
8/9/2019 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender
ATP.
Windows Defender Application Guard Application Guard protects your device from advanced attacks
while keeping you productive. Using a unique hardware-based
isolation approach, the goal is to isolate untrusted websites
and PDF documents inside a lightweight container that is
separated from the operating system via the native Windows
Hypervisor. If an untrusted site or PDF document turns out to
be malicious, it still remains contained within Application
Guard’s secure container, keeping the desktop PC protected
and the attacker away from your enterprise data.
Windows Defender System Guard System Guard protects and maintains the integrity of the
system as it starts and after it's running, and validates system
integrity by using attestation.
Application Guard testing scenarios
4/8/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
NOTE
Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However,
subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge
window, making sure you see the Application Guard visual cues.
Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version
1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard.
2. Restart the device and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
a. Click on the Windows icon, type Group Policy, and then click Edit Group Policy .
b. Go to the Administrative Templates\Network\Network Isolation\Enterprise resource domains
hosted in the cloud setting.
c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud resources box.
d. Go to the Administrative Templates\Network\Network Isolation\Domains categorized as both
work and personal setting.
e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode
setting.
5. Click Enabled , choose Option 1 , and click OK .
NOTE
Enabling this setting verifies that all the necessary settings are properly configured on your employee devices,
including the network isolation settings set earlier in this scenario.
3. Based on the list provided in the setting, choose the number that best represents what type of printing
should be available to your employees. You can allow any combination of local, network, PDF, and XPS
printing.
4. Click OK .
Data persistence options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow data persistence for Windows Defender Application Guard
setting.
2. Click Enabled and click OK .
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your Favorites list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your Favorites list.
NOTE
If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container
triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the
data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across
container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host
PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-
provided utility to reset the container and to discard any personal data.
Applies to:
Windows 10 Enterprise edition, version 1803
Windows 10 Professional edition, version 1803
Download options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow files to download and save to the host operating system
from Windows Defender Application Guard setting.
2. Click Enabled and click OK .
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
Hardware acceleration options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender
Application Guard setting.
2. Click Enabled and click OK .
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with
video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
Applies to:
Windows 10 Enterprise edition, version 1809
Windows 10 Professional edition, version 1809
File trust options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow users to trust files that open in Windows Defender
Application Guard setting.
2. Click Enabled , set Options to 2, and click OK .
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
Camera and microphone options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow camera and microphone access in Windows Defender
Application Guard setting.
2. Click Enabled and click OK .
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
Root certificate sharing options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow Windows Defender Application Guard to use Root
Cer tificate Authorities from the user's device setting.
2. Click Enabled , copy the thumbprint of each certificate to share, separated by a comma, and click OK .
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
Windows Defender Application Guard overview
1/29/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging
attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy
the playbook that attackers use by making current attack methods obsolete.
Related articles
A RT IC L E DESC RIP T IO N
System requirements for Windows Defender Application Specifies the prerequisites necessary to install and use
Guard Application Guard.
Prepare and install Windows Defender Application Guard Provides instructions about determining which mode to use,
either Standalone or Enterprise-managed, and how to install
Application Guard in your organization.
Configure the Group Policy settings for Windows Defender Provides info about the available Group Policy and MDM
Application Guard settings.
Testing scenarios using Windows Defender Application Guard Provides a list of suggested testing scenarios that you can use
in your business or organization to test Application Guard in your organization.
Frequently asked questions - Windows Defender Application Provides answers to frequently asked questions about
Guard Application Guard features, integration with the Windows
operating system, and general configuration.
minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach
enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure
employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old,
and newly emerging attacks, to help keep employees productive.
NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)
-AND-
VT-x (Intel)
-OR-
AMD-V
Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended
Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SO F T WA RE DESC RIP T IO N
-OR-
Group Policy
-OR-
Windows Defender Exploit Protection settings The following settings should be configured or verified in the
Windows Security app under App & browser control >
Exploit protection > Exploit protection settings >
System Settings .
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Enterprise-managed mode
Applies to:
Windows 10 Enterprise edition, version 1709 or higher
You and your security department can define your corporate boundaries by explicitly adding trusted domains and
by customizing the Application Guard experience to meet and enforce your needs on employee devices.
Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in
the container.
The following diagram shows the flow between the host PC and the isolated container.
Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install it on your employee's
devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
To install by using the Control Panel
1. Open the Control Panel , click Programs, and then click Turn Windows features on or off .
2. Select the check box next to Windows Defender Application Guard and then click OK .
Application Guard and its underlying dependencies are all installed.
To install by using PowerShell
NOTE
Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking
system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.
1. Click the Search or Cor tana icon in the Windows 10 taskbar and type PowerShell .
2. Right-click Windows PowerShell , and then click Run as administrator .
Windows PowerShell opens with administrator credentials.
3. Type the following command:
IMPORTANT
Make sure your organization's devices meet requirements and are enrolled in Intune.
1. Go to https://endpoint.microsoft.com and sign in.
2. Choose Devices > Configuration profiles > + Create profile , and do the following:
a. In the Platform list, select Windows 10 and later .
b. In the Profile list, select Endpoint protection .
c. Choose Create .
3. Specify the following settings for the profile:
Name and Description
In the Select a categor y to configure settings section, choose Microsoft Defender
Application Guard .
In the Application Guard list, choose Enabled for Edge .
Choose your preferences for Clipboard behavior , External content , and the remaining settings.
4. Choose OK , and then choose OK again.
5. Review your settings, and then choose Create .
6. Choose Assignments , and then do the following:
a. On the Include tab, in the Assign to list, choose an option.
b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those
on the Exclude tab.
c. Click Save .
After the profile is created, any devices to which the policy should apply will have Windows Defender Application
Guard enabled. Users might have to restart their devices in order for protection to be in place.
Application Control
3/11/2020 • 6 minutes to read • Edit Online
Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access
to that information is imperative. However, when a user runs a process, that process has the same level of access to
data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the
organization if a user knowingly or unknowingly runs malicious software.
Application control can help mitigate these types of security threats by restricting the applications that users are
allowed to run and the code that runs in the System Core (kernel). Application control policies can also block
unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an
application trust model where all applications are assumed trustworthy to one where applications must earn trust
in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite
application control as one of the most effective means for addressing the threat of executable file-based malware
(.exe, .dll, etc.).
NOTE
Although application control can significantly harden your computers against malicious code, we recommend that you
continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
Windows 10 includes two technologies that can be used for application control depending on your organization's
specific scenarios and requirements:
Windows Defender Application Control ; and
AppLocker
NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI)
policies.
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be
defined based on:
Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The reputation of the app as determined by Microsoft's Intelligent Security Graph;
The identity of the process that initiated the installation of the app and its binaries (managed installer);
The path from which the app or file is launched (beginning with Windows 10 version 1903);
The process that launched the app or binary.
WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903
Windows 10 Enterprise, or Windows Server 2016 and above. WDAC policies can be applied to computers running
any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune,
a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used
to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy
policies to machines running non-Enterprise SKUs of Windows 10.
AppLocker
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are
allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps
end users avoid running unapproved software on their computers.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be
defined based on:
Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The path from which the app or file is launched (beginning with Windows 10 version 1903).
AppLocker System Requirements
AppLocker policies can only be configured on and applied to computers that are running on the supported
versions and editions of the Windows operating system. For more info, see Requirements to Use AppLocker.
AppLocker policies can be deployed using Group Policy or MDM.
SKU availability Cmdlets are available on all SKUs on Policies deployed through GP are only
1909+ builds. effective on Enterprise devices.
For pre-1909 builds, cmdlets are only Policies deployed through MDM are
available on Enterprise but policies are effective on all SKUs.
effective on all SKUs.
Per-User and Per-User group rules Not available (policies are device-wide) Available on Windows 8+
Path-based rules Available on 1903+. Exclusions are not Available on Windows 8+. Exclusions
supported. Runtime user-writeability are supported. No runtime user-
check enforced by default. writeability check.
Enforceable file types Driver files: .sys Executable files: .exe and .com
Executable files: .exe and .com [Optional] DLLs: .dll and .ocx
DLLs: .dll and .ocx Windows Installer files: .msi,
Windows Installer files: .msi, .mst, and .msp
.mst, and .msp Scripts: .ps1, .bat, .cmd, .vbs, and
Scripts: .ps1, .vbs, and .js .js
Packaged apps and packaged Packaged apps and packaged
app installers: .appx app installers: .appx
See also
WDAC design guide
WDAC deployment guide
AppLocker overview
Audit Windows Defender Application Control policies
1/15/2020 • 5 minutes to read • Edit Online
Applies to:
Windows 10
Windows Server 2016
Running Application Control in audit mode allows administrators to discover any applications that were missed
during an initial policy scan and to identify any new applications that have been installed and run since the original
policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been
denied had the policy been enforced is logged in the Applications and Ser vices
Logs\Microsoft\Windows\CodeIntegrity\Operational event log. When these logged binaries have been
validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can
merge it with your existing WDAC policies.
Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see
Create an initial Windows Defender Application Control policy from a reference computer.
To audit a Windows Defender Application Control policy with local policy:
1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to
C:\Windows\System32\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running
GPEdit.msc .
NOTE
The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process
that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or
malware to run.
An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into
C:\Windows\System32\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
NOTE
You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy
them to every system.
You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of
the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the
computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow
the system to convert the policy names for you. By doing this, it ensures that the policies are easily
distinguishable when viewed in a share or any other central repository.
Figure 1. Deploy your Windows Defender Application Control policy
4. Restart the reference system for the WDAC policy to take effect.
5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit
mode, any exception to the deployed WDAC policy will be logged in the Applications and Ser vices
Logs\Microsoft\Windows\CodeIntegrity\Operational event log, as shown in Figure 2.
Figure 2. Exceptions to the deployed WDAC policy
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that
should be allowed to run in your environment.
6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your
WDAC policy, this is a good time to create it. For information, see Deploy catalog files to support Windows
Defender Application Control.
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in
the event log. This is described in the next section.
$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"
3. Use New-CIPolicy to generate a new WDAC policy from logged audit events. This example uses a file rule
level of Hash and includes 3> CIPolicylog.txt , which redirects warning messages to a text file,
CIPolicylog.txt .
New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt
NOTE
When you create policies from audit events, you should carefully consider the file rule level that you select to trust.
The preceding example uses the Hash rule level, which is the most specific. Any change to the file (such as replacing
the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as
shown, the filename will be DeviceGuardAuditPolicy.xml , and it will be on your desktop. Look for the
following:
Any applications that were caught as exceptions, but should be allowed to run in your environment.
These are applications that should be in the .xml file. Leave these as-is in the file.
Any applications that actually should not be allowed to run in your environment. Edit these out of the
.xml file. If they remain in the .xml file, and the information in the file is merged into your existing
WDAC policy, the policy will treat the applications as trusted, and allow them to run.
You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two
policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section,
Merge Windows Defender Application Control policies.
NOTE
You may have noticed that you did not generate a binary version of this policy as you did in Create a Windows Defender
Application Control policy from a reference computer. This is because WDAC policies created from an audit log are not
intended to run as stand-alone policies but rather to update existing WDAC policies.
System Guard Secure Launch and SMM protection
3/4/2020 • 4 minutes to read • Edit Online
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM)
protection to improve the startup security of Windows 10 devices. The information below is presented from a client
perspective.
Registry
1. Open Registry editor.
2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard >
Scenarios .
3. Right-click Scenarios > New > Key and name the new key SystemGuard .
4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled .
5. Double-click Enabled , change the value to 1 , and click OK .
IMPORTANT
If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
Trusted Platform Module (TPM) 2.0 Platforms must support a discrete TPM 2.0.
Integrated/firmware TPMs are not supported.
Windows DMA Protection Platforms must meet the Windows DMA Protection
Specification (all external DMA ports must be off by default
until the OS explicitly powers them).
TPM AUX Index Platform must set up a AUX index with index, attributes, and
policy that exactly corresponds to the AUX index specified in
the TXT DG with a data size of exactly 104 bytes (for SHA256
AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as
follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC =
TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg
and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
In addition, it must have been initialized and locked
(TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED =
1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and
PolicyControl must all be 0x00
TPM NV Index Platform firmware must set up a TPM NV index for use by the
OS with:
Handle: 0x01C101C0
Attributes:
TPMA_NV_POLICYWRITE
TPMA_NV_PPREAD
TPMA_NV_OWNERREAD
TPMA_NV_AUTHREAD
TPMA_NV_POLICYREAD
TPMA_NV_NO_DA
TPMA_NV_PLATFORMCREATE
TPMA_NV_POLICY_DELETE
A policy of:
A=
TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_S
igningKey)
B=
TPM2_PolicyCommandCode(TPM_CC_NV_Undefine
SpaceSpecial)
authPolicy = {A} OR {{A} AND {B}}
Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b,
0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23,
0x1c,0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc,
0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20,
0xe1
Platform firmware Platform firmware must carry all code required to execute an
Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by
the correct production Intel® ACM signer for the
platform
F O R Q UA L C O M M ® P RO C ESSO RS W IT H SD850 O R L AT ER
C H IP SET S DESC RIP T IO N
Monitor Mode Page Tables All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory
(e.g. no OS/VMM owned memory)
They must NOT have execute and write permissions for
the same page
Platforms must only allow Monitor Mode pages
marked as executable
The memory map must report Monitor Mode as
EfiReservedMemoryType
Platforms must provide mechanism to protect the
Monitor Mode page tables from modification
Platform firmware Platform firmware must carry all code required to perform a
launch.
In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows
Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be
trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof
and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM.
Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them
for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management
system can take a series of actions, such as denying the device access to resources.
How to control USB devices and other removable
media using Microsoft Defender ATP
10/29/2019 • 15 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft recommends a layered approach to securing removable media, and Microsoft Defender ATP provides
multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising
your devices:
1. Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting.
Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
a. Allow or block removable devices based on granular configuration to deny write access to removable
disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination.
Flexible policy assignment of device installation settings based on an individual or group of Azure
Active Directory (Azure AD) users and devices.
b. Prevent threats from removable storage introduced by removable storage devices by enabling:
- Windows Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run
from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA
Protection for Thunderbolt and blocking DMA until a user signs in.
3. Create customized alerts and response actions to monitor usage of removable devices based on these plug
and play events or any other Microsoft Defender ATP events with custom detection rules.
4. Respond to threats from peripherals in real-time based on properties reported by each peripheral.
NOTE
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from
leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you
can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a
personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable disks.
Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using Microsoft
Defender ATP and Azure Information Protection.
C O N T RO L DESC RIP T IO N
Restrict USB drives and other peripherals You can allow/prevent users to install only the USB drives and
other peripherals included on a list of authorized/unauthorized
devices or device types.
Block installation and usage of removable storage You can't install or use removable storage.
Allow installation and usage of specifically approved You can only install and use approved peripherals that report
peripherals specific properties in their firmware.
Prevent installation of specifically prohibited peripherals You can't install or use prohibited peripherals that report
specific properties in their firmware.
Allow installation and usage of specifically approved You can only install and use approved peripherals that match
peripherals with matching device instance IDs any of these device instance IDs.
Prevent installation and usage of specifically prohibited You can't install or use prohibited peripherals that match any
peripherals with matching device instance IDs of these device instance IDs.
Limit services that use Bluetooth You can limit the services that can use Bluetooth.
Use Microsoft Defender ATP baseline settings You can set the recommended configuration for ATP by using
the Microsoft Defender ATP security baseline.
C O N T RO L DESC RIP T IO N
Allow installation and usage of USB drives and other Allow users to install only the USB drives and other peripherals
peripherals included on a list of authorized devices or device types
Prevent installation and usage of USB drives and other Prevent users from installing USB drives and other peripherals
peripherals included on a list of unauthorized devices and device types
All of the above controls can be set through the Intune Administrative Templates. The relevant policies are located
here in the Intune Administrator Templates:
NOTE
Using Intune, you can apply device configuration policies to Azure AD user and/or device groups. The above policies can also
be set through the Device Installation CSP settings and the Device Installation GPOs.
NOTE
Always test and refine these settings with a pilot group of users and devices first before applying them in production. For
more information about controlling USB devices, see the Microsoft Defender ATP blog.
NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.
1. Enable Prevent installation of devices not described by other policy settings to all users.
2. Enable Allow installation of devices using drivers that match these device setup classes for all device
setup classes.
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
When configuring the allow device installation policy, you must allow all parent attributes as well. You can view the
parents of a device by opening Device Manager and view by connection.
In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-
444553540000}. See Microsoft-provided USB drivers for more information.
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then
add the device ID that you want to add. To find the vendor or product IDs, see Look up device vendor ID or product
ID.
For example:
1. Remove class USBDevice from the Allow installation of devices using drivers that match these device
setup .
2. Add the vendor ID or product ID to allow in the Allow installation of device that match any of these
device IDs .
Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, you can use the prevent device
installation policies:
1. Enable Prevent installation of devices that match any of these device IDs .
2. Enable Prevent installation of devices that match these device setup classes .
NOTE
The prevent device installation policies take precedence over the allow device installation policies.
The Prevent installation of devices that match any of these device IDs policy allows you to specify a list of
vendor or product IDs for devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
1. Look up device vendor ID or product ID for devices that you want Windows to prevent from installing.
2. Enable Prevent installation of devices that match any of these device IDs and add the vendor or
product IDs to the list.
NOTE
Always test and refine these settings with a pilot group of users and devices first before widely distributing to your
organization.
The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage.
For more information about controlling USB devices, see the Microsoft Defender ATP blog.
C O N T RO L DESC RIP T IO N
Enable Windows Defender Antivirus Scanning Enable Windows Defender Antivirus scanning for real-time
protection or scheduled scans.
Block untrusted and unsigned processes on USB peripherals Block USB files that are unsigned or untrusted.
C O N T RO L DESC RIP T IO N
Protect against Direct Memory Access (DMA) attacks Configure settings to protect against DMA attacks.
NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.
NOTE
We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10
in Device Restrictions > Configure > Windows Defender Antivirus > Real-time monitoring .
4. Click Configure > Windows Defender Exploit Guard > Attack Surface Reduction .
5. For Unsigned and untrusted processes that run from USB , choose Block .
6. Click OK to close Attack Surface Reduction , Windows Defender Exploit Guard , and Endpoint
protection .
7. Click Create to save the profile.
Protect against Direct Memory Access (DMA ) attacks
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that
allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA
attacks:
1. Beginning with Windows 10 version 1803, Microsoft introduced Kernel DMA Protection for Thunderbolt to
provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for
Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring
the DMA Guard CSP. This is an additional control for peripherals that don't support device memory isolation
(also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory
Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral
(memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the
peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked,
allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not support Kernel DMA Protection, you can:
Block DMA until a user signs in
Block all connections via the Thunderbolt ports (including USB devices)
Respond to threats
You can create custom alerts and automatic response actions with the Microsoft Defender ATP Custom Detection
Rules. Response actions within the custom detection cover both machine and file level actions. You can also create
alerts and automatic response actions using PowerApps and Flow with the Microsoft Defender ATP connector. The
connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over
200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See
Connectors to learn more about connectors.
For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB
device is mounted onto a machine.
Related topics
Configure real-time protection for Windows Defender Antivirus
Defender/AllowFullScanRemovableDriveScanning
Policy/DeviceInstallation CSP
Perform a custom scan of a removable device
Device Control PowerBI Template for custom reporting
BitLocker
Windows Information Protection
Windows Defender Application Control and
virtualization-based protection of code integrity
12/3/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user
mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
Related articles
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender
Driver compatibility with Windows Defender in Windows 10
Code integrity
Protect devices from exploits
2/12/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes
and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version
1803.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see
how it works.
Exploit protection works best with Microsoft Defender Advanced Threat Protection - which gives you detailed
reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual machine, and then use Group Policy to distribute the XML file to
multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit
protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See
Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection for more information on how
Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on
Windows 10.
IMPORTANT
If you are currently using EMET you should be aware that EMET reached end of support on July 31, 2018. You should
consider replacing EMET with exploit protection in Windows 10. You can convert an existing EMET configuration file into
exploit protection to make the migration easier and keep your existing settings.
WARNING
Some security mitigation technologies may have compatibility issues with some applications. You should test exploit
protection in all target use scenarios by using audit mode before deploying the configuration across a production
environment or the rest of your network.
DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
Mitigation comparison
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows
Server (starting with version 1803), under Exploit protection.
The table in this section indicates the availability and support of native mitigations between EMET and exploit
protection.
NOTE
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET
advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs
existing EMET technology.
Related articles
Protect devices from exploits
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Evaluate exploit protection
10/22/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices.
Mitigation can be applied to either the operating system or to an individual app. Many of the features that were
part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can
enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit
protection, you can see what would have happened if you had enabled exploit protection in your production
environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps,
and you can see which suspicious or malicious events occur.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how exploit protection works.
Where:
<Scope>:
-Nameto indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
M IT IGAT IO N A UDIT M O DE C M DL ET
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named testing.exe, run the following
command:
Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Enable network protection
Enable controlled folder access
Enable attack surface reduction
Protect your network
2/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents
employees from using any application to access dangerous domains that may host phishing scams, exploits, and
other malicious content on the Internet.
Network protection expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic
that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
For more details about how to enable network protection, see Enable network protection. Use Group Policy,
PowerShell, or MDM CSPs to enable and manage network protection in your network.
TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
Network protection works best with Microsoft Defender Advanced Threat Protection, which gives you detailed
reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.
When network protection blocks a connection, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how Network protection would impact your organization if it were
enabled.
Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version 1709 or later Windows Defender AV real-time protection and cloud-
delivered protection must be enabled
DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
Related articles
Evaluate network protection | Undertake a quick scenario that demonstrate how the feature works, and
what events would typically be created.
Enable network protection | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network
protection in your network.
Evaluate network protection
8/27/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Network protection helps prevent employees from using any application to access dangerous domains that may
host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site
in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site
will replicate the behavior that would happen if a user visited a malicious site or domain.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how other protection features
work.
Related topics
Network protection
Enable network protection
Troubleshoot network protection
Web protection
2/7/2020 • 2 minutes to read • Edit Online
Web protection in Microsoft Defender ATP is a capability made up of Web threat protection and Web content
filtering. Web protection lets you secure your machines against web threats and helps you regulate unwanted
content. You can find Web protection reports in the Microsoft Defender Security Center by going to Repor ts >
Web protection .
In this section
TO P IC DESC RIP T IO N
Web threat protection Stop access to phishing sites, malware vectors, exploit sites,
untrusted or low-reputation sites, as well as sites that you
have blocked.
Web content filtering Track and regulate access to websites based on their content
categories.
Protect your organization against web threats
1/27/2020 • 2 minutes to read • Edit Online
Web threat protection is part of Web protection in Microsoft Defender ATP. It uses network protection to secure
your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like
Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while
they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites,
untrusted or low-reputation sites, as well as sites that you have blocked in your custom indicator list.
NOTE
It can take up to an hour for machines to receive new customer indicators.
Prerequisites
Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web
browsers.
To turn on network protection on your machines:
Edit the Microsoft Defender ATP security baseline under Web & Network Protection to enable network
protection before deploying or redeploying it. Learn about reviewing and assigning the Microsoft Defender ATP
security baseline
Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. Read
more about enabling network protection
NOTE
If you set network protection to Audit only , blocking will be unavailable. Also, you will be able to detect and log attempts
to access malicious and unwanted websites on Microsoft Edge only.
Related topics
Web protection overview
Web threat protection
Monitor web security
Respond to web threats
Network protection
Monitor web browsing security
1/27/2020 • 2 minutes to read • Edit Online
Web protection lets you monitor your organization’s web browsing security through reports under Repor ts >
Web protection in the Microsoft Defender Security Center. The report contains cards that provide web threat
detection statistics.
Web threat protection detections over time — this trending card displays the number of web threats
detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
Web threat protection summar y — this card displays the total web threat detections in the past 30
days, showing distribution across the different types of web threats. Selecting a slice opens the list of the
domains that were found with malicious or unwanted websites.
NOTE
It can take up to 12 hours before a block is reflected in the cards or the domain list.
Related topics
Web protection overview
Web content filtering
Web threat protection
Respond to web threats
Respond to web threats
1/27/2020 • 2 minutes to read • Edit Online
Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious
websites and websites in your custom indicator list.
NOTE
To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the
same machine each day to a single alert. Only one alert is generated and counted into the web protection report.
Inspect website details
You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that
particular URL or domain with various information, including:
Machines that attempted to access website
Incidents and alerts related to the website
How frequent the website was seen in events in your organization
Related topics
Web protection overview
Web content filtering
Web threat protection
Monitor web security
Web content filtering
2/27/2020 • 7 minutes to read • Edit Online
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Web content filtering is part of Web protection in Microsoft Defender ATP. It enables your organization to track
and regulate access to websites based on their content categories. Many of these websites, while not malicious,
might be problematic due to compliance regulations, bandwidth usage, or other concerns.
You can configure policies across your machine groups to block certain categories, effectively preventing users
within specified machine groups from accessing URLs within that category. If a category is not blocked, all your
users will be able to access the URLs without disruption. However, web content filtering will continue to gather
access statistics that you can use to understand web usage and inform future policy decisions. If an element on the
page you’re viewing is making calls to a resource which is blocked, you will see a block notification.
Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and
Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for
more information about browser support.
To summarize the benefits:
Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or
away
You can conveniently deploy varied policies to various sets of users using the machine groups defined in the
Microsoft Defender ATP role-based access control settings
You can access web reports in the same central location, with visibility over actual blocks and web usage
User experience
The standard blocking experience is provided by Network Protection, which provides a system-level toast
notifying the user of a blocked connection. For a more user-friendly experience, consider using SmartScreen on
Edge.
Prerequisites
Before trying out this feature, make sure you have the following:
Windows 10 Enterprise E5 license
Access to Microsoft Defender Security Center portal
Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update
(for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from
SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the
blocking
A valid license with a partner data provider
Data handling
For this feature, we will follow whichever region you have elected to use as part of your Microsoft Defender ATP
data handling settings. Your data will not leave the data center in that region. In addition, your data will not be
shared with any third-parties, including our data providers. However, we may send them aggregate data (across
users and organizations) to help them improve their feeds.
Partner licensing
In order to give customers access to various sources of web content categorization data, we are very excited to
partner with data providers for this feature. We’ve chosen Cyren as our first partner, who we’ve worked with
closely to build an integrated solution.
About Cyren and Threat Intelligence Service for Microsoft Defender ATP
Cyren’s URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced
web security applications. Cyren’s comprehensive categories provide the necessary flexibility for any
implementation requirement.
The broad range of categories enables numerous applications:
Protecting users browsing the web from threats such as malware and phishing sites
Ensuring employee productivity
Consumer services such as parental control
Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web
filtering and auditing capabilities.
Learn more at https://www.cyren.com/products/url-filtering.
Cyren Permissions
"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account,
such as your tenant ID, which will be tied to your Cyren license.
"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line
allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal.
Signing up for a Cyren License
Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps
below from the portal.
NOTE
Make sure to add the URL you get redirected to by the signup process to the list of approved domains.
NOTE
A user with AAD app admin/global admin permissions is required to complete these steps.
NOTE
If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment.
Related topics
Web protection overview
Web threat protection
Monitor web security
Respond to web threats
Protect important folders with controlled folder
access
1/30/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It
protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on
Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from
the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works
best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into controlled
folder access events and blocks as part of the usual alert investigation scenarios.
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of
trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside
protected folders.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent
throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and
automatically added to the list.
Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such
as adding a file indicator for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from
ransomware that can attempt to encrypt your files and hold them hostage.
With Controlled folder access in place, a notification will appear on the computer where the app attempted to
make changes to a protected folder. You can customize the notification with your company details and contact
information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can add additional folders. You can also allow or
whitelist apps to give them access to the protected folders.
You can use audit mode to evaluate how controlled folder access would impact your organization if it were
enabled. You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the
feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
Requirements
Controlled folder access requires enabling Windows Defender Antivirus real-time protection.
DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
In this section
TO P IC DESC RIP T IO N
Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder
access works, and what events would typically be created.
Enable controlled folder access Use Group Policy, PowerShell, or MDM CSPs to enable and
manage controlled folder access in your network
Customize controlled folder access Add additional protected folders, and allow specified apps to
access protected folders.
Evaluate controlled folder access
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or
malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from ransomware that can attempt to
encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the
feature directly in your organization.
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.
TIP
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to
deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or Microsoft Endpoint
Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.
Related topics
Protect important folders with controlled folder access
[Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
Use audit mode
minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol
security (IPsec) features.
Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing
host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network
traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so
that it can apply security settings appropriate to the types of networks to which the device is connected. Windows
Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single
Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also
an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the following
benefits:
Reduces the risk of network security threats. Windows Defender Firewall reduces the attack surface
of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a
device increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual proper ty. With its integration with IPsec, Windows
Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It
provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and
optionally helping to protect the confidentiality of the data.
Extends the value of existing investments. Because Windows Defender Firewall is a host-based
firewall that is included with the operating system, there is no additional hardware or software required.
Windows Defender Firewall is also designed to complement existing non-Microsoft network security
solutions through a documented application programming interface (API).
In this section
TO P IC DESC RIP T IO N
Isolating Microsoft Store Apps on Your Network You can customize your Windows Defender Firewall
configuration to isolate the network access of Microsoft Store
apps that run on devices.
Securing End-to-End IPsec Connections by Using IKEv2 You can use IKEv2 to help secure your end-to-end IPSec
connections.
TO P IC DESC RIP T IO N
Windows Defender Firewall with Advanced Security Learn more about using Windows PowerShell to manage the
Administration with Windows PowerShell Windows Defender Firewall.
Windows Defender Firewall with Advanced Security Design Learn how to create a design for deploying Windows Defender
Guide Firewall with Advanced Security.
Windows Defender Firewall with Advanced Security Learn how to deploy Windows Defender Firewall with
Deployment Guide Advanced Security.
minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use
Windows Defender Firewall to improve the security of the devices connected to the network. You can use these
topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall
designs and to determine which design or combination of designs best suits the goals of your organization.
Firewall Policy with Advanced Security Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
Next-generation protection in Windows 10,
Windows Server 2016, and Windows Server 2019
2/26/2020 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP)
Try a demo!
Visit the Microsoft Defender ATP demo website to confirm the following protection features are working and
explore them using demo scenarios:
Cloud-delivered protection
Block at first sight (BAFS) protection
Potentially unwanted applications (PUA) protection
Related articles
Windows Defender Antivirus management and configuration
Evaluate Windows Defender Antivirus protection
Evaluate Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and
potentially unwanted applications.
TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working and see how they work:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
It explains the important next generation protection features of Windows Defender Antivirus available for both
small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar
settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the
settings.
The guide is available in PDF format for offline viewing:
Download the guide in PDF format
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can
obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
Download the PowerShell script to automatically configure the settings
IMPORTANT
The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in
this guide may not be suitable for real-world deployment.
For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network,
see Deploy Windows Defender Antivirus.
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Configure Windows Defender Antivirus features
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can configure Windows Defender Antivirus with a number of tools, including:
Microsoft Intune
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The following broad categories of features can be configured:
Cloud-delivered protection
Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each
topic includes instructions for the applicable configuration tool (or tools).
You can also review the Reference topics for management and configuration tools topic for an overview of each
tool and links to further help.
In this section
TO P IC DESC RIP T IO N
Utilize Microsoft cloud-provided Windows Defender Antivirus Cloud-delivered protection provides an advanced level of fast,
protection robust antivirus detection
Configure behavioral, heuristic, and real-time protection Enable behavior-based, heuristic, and real-time antivirus
protection
Configure end-user interaction with Windows Defender Configure how end-users interact with Windows Defender
Antivirus Antivirus, what notifications they see, and whether they can
override settings
Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection
1/30/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated
protection against new and emerging threats. To dynamically identify new threats, these technologies work with
large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI)
systems driven by advanced machine learning models.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.
To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works
seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced
Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes
even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender
Antivirus in action:
https://www.microsoft.com/videoplayer/embed/RE1Yu4B
To understand how next-gen technologies shorten protection delivery time through the cloud, watch the
following video:
https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59
Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
Why Windows Defender Antivirus is the most deployed in the enterprise
Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
How artificial intelligence stopped an Emotet outbreak
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen
malware
TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.
The following table describes the differences in cloud-delivered protection between recent versions of Windows
and Configuration Manager.
M IC RO SO F T
EN DP O IN T
W IN DO W S 10, W IN DO W S 10, SY ST EM C O N F IGURAT I
W IN DO W S 8. 1 VERSIO N 1607 VERSIO N 1703 C EN T ER 2012 O N M A N A GER
( GRO UP ( GRO UP ( GRO UP C O N F IGURAT I ( C URREN T M IC RO SO F T
F EAT URE P O L IC Y ) P O L IC Y ) P O L IC Y ) O N M A N A GER B RA N C H ) IN T UN E
You can also configure Windows Defender AV to automatically receive new protection updates based on reports
from our cloud service.
In this section
TO P IC DESC RIP T IO N
Enable cloud-delivered protection You can enable cloud-delivered protection with Microsoft
Endpoint Configuration Manager, Group Policy, Microsoft
Intune, and PowerShell cmdlets.
Specify the cloud-delivered protection level You can specify the level of protection offered by the cloud
with Group Policy and Microsoft Endpoint Configuration
Manager. The protection level will affect the amount of
information shared with the cloud and how aggressively new
files are blocked.
Configure and validate network connections for Windows There are certain Microsoft URLs that your network and
Defender Antivirus endpoints must be able to connect to for cloud-delivered
protection to work effectively. This topic lists the URLs that
should be allowed via firewall or network filtering rules, and
instructions for confirming your network is properly enrolled
in cloud-delivered protection.
Configure the block at first sight feature The Block at First Sight feature can block new malware within
seconds, without having to wait hours for traditional Security
intelligence. You can enable and configure it with Microsoft
Endpoint Configuration Manager and Group Policy.
Configure the cloud block timeout period Windows Defender Antivirus can block suspicious files from
running while it queries our cloud-delivered protection
service. You can configure the amount of time the file will be
prevented from running with Microsoft Endpoint
Configuration Manager and Group Policy.
Enable cloud-delivered protection
1/30/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune,
Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the
Windows Security app.
See Use Microsoft cloud-delivered protection for an overview of Windows Defender Antivirus cloud-delivered
protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-
delivered protection service. See Configure and validate network connections for more details.
NOTE
In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy
distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in
the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we
collect.
NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.
WARNING
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the
Block at First Sight feature will not function.
8. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device
restrictions pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see What
are Microsoft Intune device profiles?
Use Configuration Manager to enable cloud-delivered protection:
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring Microsoft
Endpoint Configuration Manager (current branch).
Use Group Policy to enable cloud-delivered protection:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus > MAPS
5. Double-click Join Microsoft MAPS and ensure the option is enabled and set to Basic MAPS or
Advanced MAPS . Click OK .
6. Double-click Send file samples when fur ther analysis is required and ensure the option is set to
Enabled and the additional options are either of the following:
a. Send safe samples (1)
b. Send all samples (3)
NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.
WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means
the Block at First Sight feature will not function.
7. Click OK .
Use PowerShell cmdlets to enable cloud-delivered protection:
Use the following cmdlets to enable cloud-delivered protection:
NOTE
You can also set -SubmitSamplesConsent to None . Setting it to Never will lower the protection state of the device, and
setting it to 2 means the Block at First Sight feature will not function.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to enable cloud-delivered protection:
Use the Set method of the MSFT_MpPreference class for the following properties:
MAPSReporting
SubmitSamplesConsent
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender .
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus &
threat protection settings label:
3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On .
NOTE
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
Related topics
Configure the cloud block timeout period
Configure block at first sight
Use PowerShell cmdlets to manage Windows Defender Antivirus
Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
Defender cmdlets
Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
How to create and deploy antimalware policies: Cloud-protection service
Windows Defender Antivirus in Windows 10
Specify the cloud-delivered protection level
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and
Microsoft Endpoint Configuration Manager.
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.
WARNING
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you
will have the option to unblock or dispute that detection).
7. Click OK .
Related articles
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
How to create and deploy antimalware policies: Cloud-protection service
Configure and validate Windows Defender Antivirus
network connections
2/7/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your
network to allow connections between your endpoints and certain Microsoft servers.
This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for
validating your connection. Configuring your protection properly helps ensure that you receive the best value from
your cloud-delivered protection services.
See the blog post Important changes to Microsoft Active Protection Services endpoint for some details about
network connectivity.
TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working:
Cloud-delivered protection
Fast learning (including block at first sight)
Potentially unwanted application blocking
NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed
resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security
intelligence updates.
See Enable cloud-delivered protection for details on enabling the service with Intune, Microsoft Endpoint
Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it
and your endpoints.
Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine
learning services. Do not exclude the URL *.blob.core.windows.net from any kind of network inspection. The table
below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules
denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL
*.blob.core.windows.net ). Below mention URLs are using port 443 for communication.
SERVIC E DESC RIP T IO N URL
Security intelligence updates Alternate Alternate location for Windows Defender *.download.microsoft.com
Download Location (ADL) Antivirus Security intelligence updates if
the installed Security intelligence is out
of date (7 or more days behind)
Certificate Revocation List (CRL) Used by Windows when creating the SSL https://www.microsoft.com/pkiops/crl/
connection to MAPS for updating the https://www.microsoft.com/pkiops/certs
CRL https://crl.microsoft.com/pki/crl/products
https://www.microsoft.com/pki/certs
Universal Telemetry Client Used by Windows to send client This update uses SSL (TCP Port 443) to
diagnostic data; Windows Defender download manifests and upload
Antivirus uses this for product quality diagnostic data to Microsoft that uses
monitoring purposes the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com
For more information, see Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool.
Attempt to download a fake malware file from Microsoft:
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected
to the cloud.
Download the file by visiting the following link:
https://aka.ms/ioavtest
NOTE
This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning Windows Defender Antivirus notification:
If you are using Microsoft Edge, you'll also see a notification message:
You will also see a detection under Quarantined threats in the Scan histor y section in the Windows Security app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender .
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan histor y
label:
3. Under the Quarantined threats section, click the See full histor y label to see the detected fake malware:
NOTE
Versions of Windows 10 before version 1703 have a different user interface. See Windows Defender Antivirus in the Windows
Security app.
The Windows event log will also show Windows Defender client event ID 2050.
IMPORTANT
You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your
proxy servers and any network filtering tools manually to ensure connectivity.
Related articles
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
Run an Windows Defender Antivirus scan from the command line and Command line arguments
Important changes to Microsoft Active Protection Services endpoint
Protect security settings with tamper protection
2/26/2020 • 7 minutes to read • Edit Online
Applies to:
Windows 10
Overview
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on
your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data,
identity, and devices. Tamper protection helps prevent this from occurring.
With tamper protection, malicious apps are prevented from taking actions like these:
Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Disabling cloud-delivered protection
Removing security intelligence updates
How it works
Tamper protection essentially locks Windows Defender Antivirus and prevents your security settings from being
changed through apps and methods like these:
Configuring settings in Registry Editor on your Windows machine
Changing settings through PowerShell cmdlets
Editing or removing security settings through group policies
and so on.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect
how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10
Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
What do you want to do?
1. Turn tamper protection on
For an individual machine, use Windows Security.
For your organization, use Intune.
2. View information about tampering attempts.
3. Review your security recommendations.
4. Browse the frequently asked questions.
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows
Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to
do this.
1. Click Star t , and start typing Defender. In the search results, select Windows Security .
2. Select Virus & threat protection > Virus & threat protection settings .
3. Set Tamper Protection to On or Off .
Here's what you see in the Windows Security app:
Turn tamper protection on (or off) for your organization using Intune
If you are part of your organization's security team, and your subscription includes Intune, you can turn tamper
protection on (or off) for your organization in the Microsoft 365 Device Management portal
(https://aka.ms/intuneportal).
NOTE
The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming
your organization has Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and that you meet the
prerequisites listed below.
You must have appropriate permissions, such as global admin, security admin, or security operations, to perform
the following task.
1. Make sure your organization meets all of the following requirements to manage tamper protection using
Intune:
Your organization must have Microsoft Defender ATP E5 (this is included in Microsoft 365 E5).
Your organization uses Intune to manage devices. (Intune licenses are required; this is included in
Microsoft 365 E5.)
Your Windows machines must be running Windows 10 OS 1709, 1803, 1809 or later. (See Windows 10
release information for more details about releases.)
You must be using Windows security with security intelligence updated to version 1.287.60.0 (or above).
Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware
engine version 1.1.15500.X (or above). (Manage Windows Defender Antivirus updates and apply
baselines.)
2. Go to the Microsoft 365 Device Management portal (https://devicemanagement.microsoft.com) and sign in
with your work or school account.
3. Select Device configuration > Profiles .
4. Create a profile as follows:
Platform: Windows 10 and later
Profile type: Endpoint protection
Category: Microsoft Defender Security Center
Tamper Protection: Enabled
5. Assign the profile to one or more groups.
Here's what you see in the Windows Security app:
Using endpoint detection and response and advanced hunting capabilities in Microsoft Defender ATP, your security
operations team can investigate and address such attempts.
In the results, you can select Turn on Tamper Protection to learn more and turn it on.
To learn more about Threat & Vulnerability Management, see Threat & Vulnerability Management in Microsoft
Defender Security Center.
For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization
only?
Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices
and user groups.
Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration
Manager.
I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
Currently, configuring tamper protection in Intune is only available for customers who have Microsoft Defender
Advanced Threat Protection E5.
What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration
Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by tamper protection; such change requests are
ignored.
I’m an enterprise customer. Can local admins change tamper protection on their devices?
No. Local admins cannot change or modify tamper protection settings.
What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
In this case, tamper protection status changes, and this feature is no longer applied.
Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
Yes. The alert is shown in https://securitycenter.microsoft.com under Aler ts .
In addition, your security operations team can use hunting queries, such as the following:
DeviceAlertEvents | where Title == "Tamper Protection bypass"
Related articles
Help secure Windows PCs with Endpoint Protection for Microsoft Intune
Get an overview of Microsoft Defender ATP E5
Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection
Enable block at first sight
2/13/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware
within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most
cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
You can specify how long the file should be prevented from running while the cloud-based protection service
analyzes the file. And, you can customize the message displayed on users' desktops when a file is blocked. You
can change the company name, contact information, and message URL.
TIP
Visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the features are working and see
how they work.
How it works
When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection
backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine
whether the files are malicious or clean.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or
macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files
that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is
checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a
copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file
to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
NOTE
The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
WARNING
Setting the file blocking level to High will apply a strong level of detection. In the unlikely event that it causes a
false positive detection of legitimate files, use the option to restore the quarantined files.
For more information about configuring Windows Defender Antivirus device restrictions in Intune, see Configure
device restriction settings in Microsoft Intune.
For a list of Windows Defender Antivirus device restrictions in Intune, see Device restriction for Windows 10 (and
newer) settings in Intune.
Enable block at first sight with Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click Assets and Compliance > Endpoint Protection >
AntiMalware Policies .
2. Click Home > Create Antimalware Policy .
3. Enter a name and a description, and add these settings:
Real time protection
Advanced
Cloud Protection Ser vice
4. In the left column, click Real time protection , set Enable real-time protection to Yes , and set Scan
system files to Scan incoming and outgoing files .
5. Click Advanced , set Enable real-time protection to Yes , and set Scan system files to Scan
incoming and outgoing files .
6. Click Cloud Protection Ser vice , set Cloud Protection Ser vice membership type to Advanced
membership , set Level for blocking malicious files to High , and set Allow extended cloud check
to block and scan suspicious files for up to (seconds) to 50 seconds.
7. Click OK to create the policy.
Confirm block at first sight is enabled with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > MAPS , configure the
following Group Policies, and then click OK :
Double-click Join Microsoft MAPS and ensure the option is set to Enabled . Click OK .
Double-click Send file samples when fur ther analysis is required and ensure the option is set
to Enabled and the additional options are either Send safe samples (1) or Send all samples
(3) .
WARNING
Setting to Always prompt (0) will lower the protection state of the device. Setting to Never send (2) means
block at first sight will not function.
4. In the Group Policy Management Editor , expand the tree to Windows components > Windows
Defender Antivirus > Real-time Protection :
a. Double-click Scan all downloaded files and attachments and ensure the option is set to
Enabled , and then click OK .
b. Double-click Turn off real-time protection and ensure the option is set to Disabled , and then
click OK .
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to
ensure all endpoints are covered.
Confirm block at first sight is enabled with the Windows Security app
You can confirm that block at first sight is enabled in your Windows security settings.
Block at first sight is automatically enabled as long as Cloud-delivered protection and Automatic sample
submission are both turned on.
Confirm Block at First Sight is enabled on individual clients
1. Open the Windows Security app.
2. Select Virus & threat protection , and then, under Virus & threat protection settings , select
Manage Settings .
3. Confirm that Cloud-delivered protection and Automatic sample submission are both turned on.
NOTE
If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be
greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be
deployed to individual endpoints before the setting will be updated in Windows Settings.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at
first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the
feature's impact on your network.
Disable block at first sight with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure, and then click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree through Windows components > Windows Defender Antivirus > MAPS .
4. Double-click Configure the 'Block at First Sight' feature and set the option to Disabled .
NOTE
Disabling block at first sight will not disable or alter the prerequisite group policies.
Related topics
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
Configure the cloud block timeout period
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the
Windows Defender Antivirus cloud service.
The default period that the file will be blocked is 10 seconds. You can specify an additional period of time to wait
before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from
the Windows Defender Antivirus cloud service.
Related topics
Windows Defender Antivirus in Windows 10
Use next-generation antivirus technologies through cloud-delivered protection
Configure block at first sight
Enable cloud-delivered protection
Configure behavioral, heuristic, and real-time
protection
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus uses several methods to provide threat protection:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time
protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-
depth threat resistance research
You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center
Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed
unsafe, but may not be detected as malware.
See Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection for how to enable
and configure Windows Defender Antivirus cloud-delivered protection.
In this section
TO P IC DESC RIP T IO N
Detect and block potentially unwanted applications Detect and block apps that may be unwanted in your
network, such as adware, browser modifiers and toolbars, and
rogue or fake antivirus apps
Enable and configure Windows Defender Antivirus protection Enable and configure real-time protection, heuristics, and
capabilities other always-on Windows Defender Antivirus monitoring
features
Detect and block potentially unwanted applications
2/12/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Edge
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they
might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an
application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable
behavior.
For example:
Adver tising software : Software that displays advertisements or promotions, including software that inserts
advertisements to webpages.
Bundling software : Software that offers to install other software that is not digitally signed by the same entity.
Also, software that offers to install other software that qualify as PUA.
Evasion software : Software that actively tries to evade detection by security products, including software that
behaves differently in the presence of security products.
For more examples and a discussion of the criteria we use to label applications for special attention from security
features, see How Microsoft identifies malware and potentially unwanted applications.
Potentially unwanted applications can increase the risk of your network being infected with actual malware, make
malware infections harder to identify, or waste IT resources in cleaning them up.
How it works
Microsoft Edge
The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application
downloads and associated resource URLs. This feature is provided via Windows Defender SmartScreen.
Enable PUA protection in Chromium-based Microsoft Edge
Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is
turned off by default, it can easily be turned on from within the browser.
1. Select the ellipses, and then choose Settings .
2. Select Privacy and ser vices .
3. Under the Ser vices section, turn on Block potentially unwanted apps .
TIP
If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by
testing it out on one of our Windows Defender SmartScreen demo pages.
NOTE
This feature is only available in Windows 10.
Windows Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them.
Blocked PUA files are then moved to quarantine.
When a PUA file is detected on an endpoint, Windows Defender Antivirus sends a notification to the user (unless
notifications have been disabled) in the same format as other threat detections. The notification will be prefaced
with PUA: to indicate its content.
The notification appears in the usual quarantine list within the Windows Security app.
Configure PUA protection in Windows Defender Antivirus
You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or
via PowerShell cmdlets.
You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the
Windows event log.
TIP
You can visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm that the feature is working,
and see it in action.
PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd
like to avoid any false positives.
U se I n t u n e t o c o n fi g u r e P U A p r o t e c t i o n
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction
settings for Windows 10 in Intune for more details.
U se C o n fi g u r a t i o n M a n a g e r t o c o n fi g u r e P U A p r o t e c t i o n
PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch).
See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring Microsoft
Endpoint Configuration Manager (Current Branch).
For System Center 2012 Configuration Manager, see How to Deploy Potentially Unwanted Application Protection
Policy for Endpoint Protection in Configuration Manager.
NOTE
PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft
Endpoint Configuration Manager.
U se G r o u p P o l i c y t o c o n fi g u r e P U A p r o t e c t i o n
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure, and select Edit .
2. In the Group Policy Management Editor , go to Computer configuration and select Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus .
4. Double-click Configure protection for potentially unwanted applications .
5. Select Enabled to enable PUA protection.
6. In Options , select Block to block potentially unwanted applications, or select Audit Mode to test how the
setting will work in your environment. Select OK .
U se P o w e r Sh e l l c m d l e t s t o c o n fi g u r e P U A p r o t e c t i o n
To e n a b l e P U A p ro t e c t i o n
Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.
To s e t P UA p ro t e c t i o n t o a u d i t mo d e
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
Setting the value for this cmdlet to Disabled will turn the feature off if it has been enabled.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
View PUA events
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in
Intune.
You can turn on email notifications to receive mail about PUA detections.
See Troubleshoot event IDs for details on viewing Windows Defender Antivirus events. PUA events are recorded
under event ID 1160 .
Allow-listing apps
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In
these cases, a file can be allow-listed. See How to Configure Endpoint Protection in Configuration Manager for
information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.
Related articles
Next-generation protection
Configure behavioral, heuristic, and real-time protection
Enable and configure Windows Defender Antivirus
always-on protection in Group Policy
12/16/2019 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware
based on known suspicious and malicious activities.
These activities include events, such as processes making unusual changes to existing files, modifying or
creating automatic startup registry keys and startup locations (also known as auto-start extensibility points,
or ASEPs), and other changes to the file system or file structure.
Allow antimalware service to You can lower the priority of the Enabled
startup with normal priority Windows Defender Antivirus
engine, which may be useful in
lightweight deployments where
you want to have as lean a startup
process as possible. This may
impact protection on the endpoint.
b. In the Real-time Protection details pane on right, double-click the policy setting as specified in the
following table:
Scan all downloaded files and Downloaded files and attachments Enabled
attachments are automatically scanned. This
operates in addition to the
Windows Defender SmartScreen
filter, which scans files before and
during downloading.
Monitor file and program activity The Windows Defender Antivirus Enabled
on your computer engine makes note of any file
changes (file writes, such as moves,
copies, or modifications) and
general program activity (programs
that are opened or running and
that cause other programs to run).
Turn on process scanning whenever You can independently enable the Enabled
real-time protection is enabled Microsoft Defender Antivirus
engine to scan running processes
for suspicious modifications or
behaviors. This is useful if you have
temporarily disabled real-time
protection and want to
automatically scan processes that
started while it was disabled.
Define the maximum size of You can define the size in kilobytes. Enabled
downloaded files and attachments
to be scanned
Configure local setting override for Configure a local override for the Enabled
turn on behavior monitoring configuration of behavior
monitoring. This setting can only
be set by Group Policy. If you
enable this setting, the local
preference setting will take priority
over Group Policy. If you disable or
do not configure this setting,
Group Policy will take priority over
the local preference setting.
Configure local setting override for Configure a local override for the Enabled
scanning all downloaded files and configuration of scanning for all
attachments downloaded files and attachments.
This setting can only be set by
Group Policy. If you enable this
setting, the local preference setting
will take priority over Group Policy.
If you disable or do not configure
this setting, Group Policy will take
priority over the local preference
setting.
SET T IN G DESC RIP T IO N DEFA ULT SET T IN G
Configure local setting override for Configure a local override for the Enabled
monitoring file and program configuration of monitoring for file
activity on your computer and program activity on your
computer. This setting can only be
set by Group Policy. If you enable
this setting, the local preference
setting will take priority over Group
Policy. If you disable or do not
configure this setting, Group Policy
will take priority over the local
preference setting.
Configure local setting override to Configure a local override for the Enabled
turn on real-time protection configuration to turn on real-time
protection. This setting can only be
set by Group Policy. If you enable
this setting, the local preference
setting will take priority over Group
Policy. If you disable or do not
configure this setting, Group Policy
will take priority over the local
preference setting.
Configure local setting override for Configure a local override for the Enabled
monitoring for incoming and configuration of monitoring for
outgoing file activity incoming and outgoing file activity.
This setting can only be set by
Group Policy. If you enable this
setting, the local preference setting
will take priority over Group Policy.
If you disable or do not configure
this setting, Group Policy will take
priority over the local preference
setting.
Configure monitoring for incoming Specify whether monitoring should Enabled (both directions)
and outgoing file and program occur on incoming, outgoing, both,
activity or neither direction. This is relevant
for Windows Server installations
where you have defined specific
servers or Server Roles that see
large amounts of file changes in
only one direction and you want to
improve network performance.
Fully updated endpoints (and
servers) on a network will see little
performance impact irrespective of
the number or direction of file
changes.
The main real-time protection capability is enabled by default, but you can disable it by using Local Group
Policy Editor .
To disable real-time protection in Group policy:
1. Open Local Group Policy Editor .
a. In your Windows 10 taskbar search box, type gpedit .
b. Under Best match , click Edit group policy to launch Local Group Policy Editor .
2. In the left pane of Local Group Policy Editor , expand the tree to Computer Configuration >
Administrative Templates > Windows Components > Windows Defender Antivirus > Real-
time Protection .
3. In the Real-time Protection details pane on right, double-click Turn off real-time protection .
4. In the Turn off real-time protection setting window, set the option to Enabled .
5. Click OK .
6. Close Local Group Policy Editor .
Related articles
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
Windows Defender Antivirus on Windows Server
2016 and 2019
2/26/2020 • 7 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances,
Windows Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
While the functionality, configuration, and management are largely the same for Windows Defender Antivirus on
Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
In Windows Server, automatic exclusions are applied based on your defined Server Role.
In Windows Server, Windows Defender Antivirus does not automatically disable itself if you are running
another antivirus product.
Event messages for the antimalware engine included with Windows Defender Antivirus can be found in Windows
Defender AV Events.
To verify that firewall protection is turned on, run the following PowerShell cmdlet:
As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender Antivirus is
running. To do that, run the following command from a command prompt:
sc query Windefend
The sc query command returns information about the Windows Defender Antivirus service. When Windows
Defender Antivirus is running, the STATE value displays RUNNING .
M ET H O D DESC RIP T IO N
Windows Update in Control Panel - Install updates automatically results in all updates being
automatically installed, including Windows Defender Security
intelligence updates.
- Download updates but let me choose whether to
install them allows Windows Defender to download and
install Security intelligence updates automatically, but other
updates are not automatically installed.
Group Policy You can set up and manage Windows Update by using the
settings available in Group Policy, in the following path:
Administrative Templates\Windows
Components\Windows Update\Configure Automatic
Updates
M ET H O D DESC RIP T IO N
The AUOptions registry key The following two values allow Windows Update to
automatically download and install Security intelligence
updates:
- 4 Install updates automatically. This value results in all
updates being automatically installed, including Windows
Defender Security intelligence updates.
- 3 Download updates but let me choose whether to install
them. This value allows Windows Defender to download and
install Security intelligence updates automatically, but other
updates are not automatically installed.
To ensure that protection from malware is maintained, we recommend that you enable the following services:
Windows Error Reporting service
Windows Update service
The following table lists the services for Windows Defender Antivirus and the dependent services.
Windows Defender Service (WinDefend) C:\Program Files\Windows This is the main Windows Defender
Defender\MsMpEng.exe Antivirus service that needs to be
running at all times.
Windows Error Reporting Service C:\WINDOWS\System32\svchost.exe - This service sends error reports back to
(Wersvc) k WerSvcGroup Microsoft.
Submit samples
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide
continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and
produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll
files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
Submit a file
1. Review the submission guide.
2. Visit the sample submission portal, and submit your file.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the
SubmitSamplesConsent value data according to one of the following settings:
1 Send safe samples automatically The Windows Defender Antivirus service sends all files marked
as "safe" and prompts for the remainder of the files.
2 Never send The Windows Defender Antivirus service does not prompt and
does not send any files.
3 Send all samples automatically The Windows Defender Antivirus service sends all files without
a prompt for confirmation.
NOTE
You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019:
Uninstall-WindowsFeature -Name Windows-Defender
Related topics
Windows Defender Antivirus in Windows 10
Configure exclusions in Windows Defender AV on Windows Server
Windows Defender Antivirus compatibility
4/2/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Overview
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running
Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether
you're using Microsoft Defender ATP together with your antivirus protection.
When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and
Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus
automatically goes into passive mode. (Real time protection and threats are not remediated by Windows
Defender Antivirus.)
If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware
solution, and you have shadow protection (currently in private preview), then Windows Defender Antivirus
runs in the background and blocks/remediates malicious items that are detected, such as during a post-
breach attack.
O RGA N IZ AT IO N EN RO L L ED
A N T IM A L WA RE IN M IC RO SO F T DEF EN DER W IN DO W S DEF EN DER
W IN DO W S VERSIO N P ROT EC T IO N O F F ERED B Y AT P A N T IVIRUS STAT E
(1) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if
you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should
consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019 to prevent problems
caused by having multiple antivirus products installed on a machine.
If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting
this registry key:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Value: 1
See Windows Defender Antivirus on Windows Server 2016 and 2019 for key differences and management
options for Windows Server installations.
IMPORTANT
Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows
Server 2019.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center
Endpoint Protection, which is managed through Microsoft Endpoint Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does not
provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
REA L - T IM E
P ROT EC T IO N L IM IT ED
A N D C LO UD- P ERIO DIC F IL E SC A N N IN G SEC URIT Y
DEL IVERED SC A N N IN G A N D DET EC T IO N T H REAT IN T EL L IGEN C E
STAT E P ROT EC T IO N AVA IL A B IL IT Y IN F O RM AT IO N REM EDIAT IO N UP DAT ES
Automatic No Yes No No No
disabled mode
In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration
made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are
scanned and threats remediated, and detection information are reported in your configuration tool (such as
Configuration Manager or the Windows Defender Antivirus app on the machine itself).
In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not
remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat
detections which are shared with the Microsoft Defender ATP service.
When shadow protection (currently in private preview) is turned on, Windows Defender Antivirus is not
used as the primary antivirus solution, but can still detect and remediate malicious items.
In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not
scanned and threats are not remediated.
WARNING
You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus,
Microsoft Defender ATP, or the Windows Security app. This includes the wscsvc, SecurityHealthService, MsSense, Sense,
WinDefend, or MsMpEng services and process. Manually modifying these services can cause severe instability on your
endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus
apps and how their information is displayed in the Windows Security app.
Related topics
Windows Defender Antivirus in Windows 10
Windows Defender Antivirus on Windows Server 2016 and 2019
Shadow protection in next-generation protection
Use limited periodic scanning in Windows Defender
Antivirus
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have
installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. For more information about limited periodic scanning and how
Microsoft Defender Antivirus works with other antivirus products, see Windows Defender Antivirus compatibility.
Microsoft does not recommend using this feature in enterprise environments. This is a feature
primarily intended for consumers. This feature only uses a limited subset of the Windows Defender Antivirus
capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software.
Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their
primary antivirus solution and use it exclusively.
Sliding the switch to On will show the standard Windows Defender AV options underneath the third party AV
product. The limited periodic scanning option will appear at the bottom of the page.
Related articles
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
Deploy, manage, and report on Windows Defender
Antivirus
2/7/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment
of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft
Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is
described in the following table.
You'll also see additional links for:
Managing Windows Defender Antivirus protection, including managing product and protection updates
Reporting on Windows Defender Antivirus protection
IMPORTANT
In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running
and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will
function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows
Defender Antivirus.
M A N A GEM EN T O P T IO N S
( N ET W O RK - W IDE
C O N F IGURAT IO N A N D
P O L IC Y O R B A SEL IN E
TO O L DEP LO Y M EN T O P T IO N S ( 2 ) DEP LO Y M EN T ) ( 3 ) REP O RT IN G O P T IO N S
Microsoft Intune Add endpoint protection Configure device restriction Use the Intune console to
settings in Intune settings in Intune manage devices
Microsoft Endpoint Use the Endpoint With default and With the default
Configuration Manager (1) Protection point site system customized antimalware Configuration Manager
role and enable Endpoint policies and client Monitoring workspace and
Protection with custom management email alerts
client settings
Group Policy and Active Use a Group Policy Object Use Group Policy Objects Endpoint reporting is not
Directory (domain-joined) to deploy configuration (GPOs) to Configure update available with Group Policy.
changes and ensure options for Windows You can generate a list of
Windows Defender Defender Antivirus and Group Policies to determine
Antivirus is enabled. Configure Windows if any settings or policies
Defender features are not applied
M A N A GEM EN T O P T IO N S
( N ET W O RK - W IDE
C O N F IGURAT IO N A N D
P O L IC Y O R B A SEL IN E
TO O L DEP LO Y M EN T O P T IO N S ( 2 ) DEP LO Y M EN T ) ( 3 ) REP O RT IN G O P T IO N S
PowerShell Deploy with Group Policy, Use the Set-MpPreference Use the appropriate Get-
Microsoft Endpoint and Update-MpSignature cmdlets available in the
Configuration Manager, or cmdlets available in the Defender module
manually on individual Defender module.
endpoints.
Windows Management Deploy with Group Policy, Use the Set method of the Use the
Instrumentation Microsoft Endpoint MSFT_MpPreference class MSFT_MpComputerStatus
Configuration Manager, or and the Update method of class and the get method of
manually on individual the MSFT_MpSignature associated classes in the
endpoints. class Windows Defender WMIv2
Provider
1. The availability of some functions and features, especially related to cloud-delivered protection, differ
between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012
Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and
Microsoft Endpoint Configuration Manager (Current Branch). See Use Microsoft cloud-provided
protection in Windows Defender Antivirus for a table that describes the major differences. (Return to
table)
2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment
of an additional client or service. It will automatically be enabled when third-party antivirus products are
either uninstalled or out of date (except on Windows Server 2016). Traditional deployment therefore is
not required. Deployment here refers to ensuring the Windows Defender Antivirus component is
available and enabled on endpoints or servers. (Return to table)
3. Configuration of features and protection, including configuring product and protection updates, are
further described in the Configure Windows Defender Antivirus features section in this library. (Return to
table)
In this section
TO P IC DESC RIP T IO N
TO P IC DESC RIP T IO N
Deploy and enable Windows Defender Antivirus protection While the client is installed as a core part of Windows 10,
and traditional deployment does not apply, you will still need
to enable the client on your endpoints with Microsoft
Endpoint Configuration Manager, Microsoft Intune, or
Group Policy Objects.
Manage Windows Defender Antivirus updates and apply There are two parts to updating Windows Defender
baselines Antivirus: updating the client on endpoints (product
updates), and updating Security intelligence (protection
updates). You can update Security intelligence in a number of
ways, using Microsoft Endpoint Configuration Manager,
Group Policy, PowerShell, and WMI.
Monitor and report on Windows Defender Antivirus You can use Microsoft Intune, Microsoft Endpoint
protection Configuration Manager, the Update Compliance add-in for
Microsoft Operations Management Suite, or a third-party
SIEM product (by consuming Windows event logs) to
monitor protection status and create reports about
endpoint protection.
Deploy and enable Windows Defender Antivirus
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Depending on the management tool you are using, you may need to specifically enable or configure Windows
Defender Antivirus protection.
See the table in Deploy, manage, and report on Windows Defender Antivirus for instructions on how to enable
protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory,
Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender
Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for setting up Windows Defender
Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment.
Related topics
Windows Defender Antivirus in Windows 10
Deploy, manage updates, and report on Windows Defender Antivirus
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Deployment guide for Windows Defender Antivirus
in a virtual desktop infrastructure (VDI) environment
2/3/2020 • 9 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in
a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
See Windows Virtual Desktop Documentation for more details on Microsoft Remote Desktop Services and VDI
support.
For Azure-based virtual machines, you can also review the Install Endpoint Protection in Azure Security Center
topic.
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you
can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a
periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly
to the VM when it's turned on.
This guide describes how to configure your VMs for optimal protection and performance, including how to:
Set up a dedicated VDI file share for security intelligence updates
Randomize scheduled scans
Use quick scans
Prevent notifications
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
Apply exclusions
You can also download the whitepaper Windows Defender Antivirus on Virtual Desktop Infrastructure, which looks
at the new shared security intelligence update feature, alongside performance testing and guidance on how you
can test antivirus performance on your own VDI.
IMPORTANT
Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be
running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in
earlier versions of Windows.
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines
in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview
build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
Open the Intune Management Portal either by searching for Intune on https://portal.azure.com or going to
https://devicemanagement.microsoft.com and logging in.
To create a group with only the devices or users you specify
1. Go to Groups > New group .
2. Specify the following values:
Group type: Security
Group name: VDI test VMs
Group description: Optional
Membership type: Assigned
3. Add the devices or users you want to be a part of this test and then click Create to save the group.
It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the
shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or
earlier versions. This will help when you create dashboards to test the performance changes.
To create a group that will include any machine in your tenant that is a VM, even when they are newly created
1. Go to Groups > New group .
2. Specify the following values:
Group type: Security
Group name: VDI test VMs
Group description: Optional
Membership type: Dynamic Device
3. Click Simple rule , and select deviceModel , Equals , and enter Vir tual Machine .
4. Click Add quer y and then Create to save the group.
5. Go to Device configuration , then Profiles . You can modify an existing custom profile or create a new one.
Create a new device configuration profile
In this example, we create a new device configuration profile by clicking Create profile .
1. Name it, choose Windows 10 and later as the Platform and – most importantly – select Custom as the
profile type.
2. The Custom OMA-URI Settings blade is opened automatically. Click Add then enter the following values:
Name: VDI shared sig location
Description: Optional
OMA-URI: ./Vendor/MSFT/Defender/SharedSignatureRoot
Data type: String
\\<sharedlocation\>\wdav-update\ (see the Download and unpackage section for what this will be)
3. Click Ok to close the details blade, then OK again to close the Custom OMA-URI Settings blade.
4. Click Create to save the new profile. The profile details page now appears.
5. Click Assignments . The Include tab is automatically selected. In the drop-down menu, select Selected
Groups , then click Select groups to include . Click the VDI test VMs group and then Select .
6. Click Evaluate to see how many users/devices will be impacted. If the number makes sense, click Save . If
the number doesn’t make sense, go back to the groups blade and confirm the group contains the right
users or devices.
The profile will now be deployed to the impacted devices. This may take some time.
Use Group Policy to enable the shared security intelligence feature:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure, and then click Edit .
2. In the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus > Security Intelligence
Updates .
5. Double-click Define security intelligence location for VDI clients , and then set the option to Enabled .
A field automatically appears.
6. Enter \\<sharedlocation\>\wdav-update (see the Download and unpackage section for what this will be).
7. Click OK .
8. Deploy the GPO to the VMs you want to test.
Use PowerShell to enable the shared security intelligence feature
Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push
PowerShell-based configuration policies onto the VMs:
See the Download and unpackage section for what the <shared location> will be.
Download and unpackage the latest updates
Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script
for you below. This script is the easiest way to download new updates and get them ready for your VMs. You
should then set the script to run at a certain time on the management machine by using a scheduled task (or, if
you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
$vdmpathtime = Get-Date -format "yMMddHHmmss"
$vdmpath = $vdmpathbase + $vdmpathtime + '}'
$vdmpackage = $vdmpath + '\mpam-fe.exe'
$args = @("/x")
You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then
the VMs will receive the new update. We suggest starting with once a day – but you should experiment with
increasing or decreasing the frequency to understand the impact.
Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter
than four hours isn’t advised because it will increase the network overhead on your management machine for no
benefit.
Set a scheduled task to run the powershell script
1. On the management machine, open the Start menu and type Task Scheduler . Open it and select Create
task … on the side panel.
2. Enter the name as Security intelligence unpacker . Go to the Trigger tab. Click New… Select Daily and
click OK .
3. Go to the Actions tab. Click New… Enter PowerShell in the Program/Script field. Enter
-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1 in the Add arguments field. Click OK .
Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was
downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the
same folder each time.
3. Download a security intelligence package from https://www.microsoft.com/wdsi/definitions into the GUID
folder. The file should be named mpam-fe.exe .
4. Open a cmd prompt window and navigate to the GUID folder you created. Use the /X extraction command
to extract the files, for example mpam-fe.exe /X .
Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted
update package or whenever an existing folder is updated with a new extracted package.
Randomize scheduled scans
Scheduled scans run in addition to real-time protection and scanning.
The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime,
ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within
a 4 hour window from the time set for the scheduled scan.
See Schedule scans for other configuration options available for scheduled scans.
Use quick scans
You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred
approach as they are designed to look in all places where malware needs to reside to be active.
1. Expand the tree to Windows components > Windows Defender > Scan .
2. Double-click Specify the scan type to use for a scheduled scan and set the option to Enabled and
Quick scan .
3. Click OK .
Prevent notifications
Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order
to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
1. Expand the tree to Windows components > Windows Defender > Client Interface .
2. Double-click Suppress all notifications and set the option to Enabled .
3. Click OK .
This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans
or remediation is performed.
Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base
image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as
you've already scanned it when you created the base image).
IMPORTANT
Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates.
Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying
the base image.
1. Expand the tree to Windows components > Windows Defender > Signature Updates .
2. Double-click Turn on scan after signature update and set the option to Disabled .
3. Click OK .
This prevents a scan from running immediately after an update.
Scan VMs that have been offline
1. Expand the tree to Windows components > Windows Defender > Scan .
2. Double-click the Turn on catch-up quick scan setting and set the option to Enabled .
3. Click OK .
This forces a scan if the VM has missed two or more consecutive scheduled scans.
Enable headless UI mode
1. Double-click Enable headless UI mode and set the option to Enabled .
2. Click OK .
This hides the entire Windows Defender AV user interface from users.
Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers
running a VDI environment. However, if you are running an older Windows server version, see Configure Windows
Defender Antivirus exclusions on Windows Server.
Additional resources
Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012
manages VDI and integrates with App-V
TechNet forums on Remote Desktop Services and VDI
SignatureDownloadCustomTask PowerShell script
Report on Windows Defender Antivirus
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use
Microsoft Endpoint Configuration Manager to monitor Windows Defender Antivirus or create email alerts. Or, you
can monitor protection using Microsoft Intune.
Microsoft Operations Management Suite has an Update Compliance add-in that reports on key Windows Defender
Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) server, you can also consume
Windows Defender client events.
Windows events comprise several security event sources, including Security Account Manager (SAM) events
(enhanced for Windows 10, also see the Security auditing topic) and Windows Defender events.
These events can be centrally aggregated using the Windows event collector. Often, SIEM servers have connectors
for Windows events, allowing you to correlate all security events in your SIEM server.
You can also monitor malware events using the Malware Assessment solution in Log Analytics.
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the (Deployment,
management, and reporting options table).
Related articles
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Troubleshoot Windows Defender Antivirus reporting
in Update Compliance
3/23/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can
continue to define and review security compliance policies using Microsoft Endpoint Manager, which allows finer control over
security features and updates.
You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro
licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal. To learn more about licensing
options, see Windows 10 product licensing options.
When you use Windows Analytics Update Compliance to obtain reporting into the protection status of devices or
endpoints in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
You only see a small number or subset of all the devices you were expecting to see
You do not see any devices at all
The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to
Update Compliance, see Windows Defender Antivirus events.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all prerequisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
IMPORTANT
It typically takes 3 days for devices to start appearing in Update Compliance.
Confirm prerequisites
In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the
Update Compliance service and for Windows Defender Antivirus:
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself and the endpoint will not be reported in Update
Compliance.
Cloud-delivered protection is enabled.
Endpoints can connect to the Windows Defender AV cloud
If the endpoint is running Windows 10 version 1607 or earlier, Windows 10 diagnostic data must be set to the
Enhanced level.
It has been 3 days since all requirements have been met
“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro
licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal
(https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To
learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic
information and send it to us.
Collect diagnostic data for Update Compliance troubleshooting
Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and
apply baselines
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
2. Product updates
You can also apply Windows security baselines to quickly bring your endpoints up to a uniform level of
protection.
Protection updates
Windows Defender Antivirus uses both cloud-delivered protection (also called the Microsoft Advanced
Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These
protection updates are also known as Security intelligence updates.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while
the protection updates generally occur once a day (although this can be configured). See the Utilize Microsoft
cloud-provided protection in Windows Defender Antivirus topic for more details about enabling and configuring
cloud-provided protection.
Engine updates are included with the Security intelligence updates and are released on a monthly cadence.
Product updates
Windows Defender Antivirus requires monthly updates (known as "platform updates"), and will receive major
feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with Microsoft
Endpoint Configuration Manager, or in the normal manner that you deploy Microsoft and Windows updates to
endpoints in your network.
Feb-2020 - 1.1.16800.x
Dec-2019 - -
MONT H P L AT F O RM / C L IEN T EN GIN E
In this section
A RT IC L E DESC RIP T IO N
Manage how protection updates are downloaded and Protection updates can be delivered through a number of
applied sources.
Manage when protection updates should be downloaded You can schedule when protection updates should be
and applied downloaded.
Manage updates for endpoints that are out of date If an endpoint misses an update or scheduled scan, you can
force an update or scan at the next log on.
Manage event-based forced updates You can set protection updates to be downloaded at startup
or after certain cloud-delivered protection events.
Manage updates for mobile devices and virtual machines You can specify settings, such as whether updates should
(VMs) occur on battery power, that are especially useful for mobile
devices and virtual machines.
Manage the sources for Windows Defender Antivirus
protection updates
3/26/2020 • 7 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection
Keeping your antivirus protection up to date is critical. There are two components to managing protection updates
for Windows Defender Antivirus:
Where the updates are downloaded from; and
When updates are downloaded and applied.
This article describes how to specify from where updates should be downloaded (this is also known as the fallback
order). See Manage Windows Defender Antivirus updates and apply baselines topic for an overview on how
updates work, and how to configure other aspects of updates (such as scheduling updates).
IMPORTANT
Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday,
October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to
support SHA-2 in order to update your security intelligence. To learn more, see 2019 SHA-2 Code Signing Support
requirement for Windows and WSUS.
Fallback order
Typically, you configure endpoints to individually download updates from a primary source followed by other
sources in order of priority, based on your network configuration. Updates are obtained from sources in the order
you specify. If a source is not available, the next source in the list is used immediately.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the
differences between the latest update and the update that is currently installed (this is referred to as the delta) on
the device is downloaded and applied. However, the size of the delta depends on two main factors:
The age of the last update on the device; and
The source used to download and apply updates.
The older the updates on an endpoint, the larger the download will be. However, you must also consider download
frequency as well. A more frequent update schedule can result in more network usage, whereas a less-frequent
schedule can result in larger file sizes per download.
There are five locations where you can specify where an endpoint should obtain updates:
Microsoft Update
Windows Server Update Service
Microsoft Endpoint Configuration Manager
Network file share
Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (Your policy
and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its
former name.)
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads
on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and
Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger,
resulting in larger downloads.
IMPORTANT
If you have set Microsoft Malware Protection Center Security intelligence page (MMPC) updates as a fallback source after
Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when
the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates
from the Windows Server Update Service or Microsoft Update services). You can, however, set the number of days before
protection is reported as out-of-date.
Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated
to support SHA-2 in order to get the latest security intelligence updates. To learn more, see 2019 SHA-2 Code Signing
Support requirement for Windows and WSUS.
Each source has typical scenarios that depend on how your network is configured, in addition to how often they
publish updates, as described in the following table:
LO C AT IO N SA M P L E SC EN A RIO
Windows Server Update Service You are using Windows Server Update Service to manage
updates for your network.
Microsoft Endpoint Configuration Manager You are using Microsoft Endpoint Configuration Manager to
update your endpoints.
Security intelligence updates for Windows Defender Antivirus Make sure your devices are updated to support SHA-2.
and other Microsoft antimalware (formerly referred to as Microsoft Defender Antivirus Security intelligence updates are
MMPC) delivered through Windows Update, and starting Monday
October 21, 2019 security intelligence updates will be SHA-2
signed exclusively.
Download the latest protection updates because of a recent
infection or to help provision a strong, base image for VDI
deployment. This option should generally be used only as a
final fallback source, and not the primary source. It will only
be used if updates cannot be downloaded from Windows
Server Update Service or Microsoft Update for a specified
number of days.
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration
Manager, PowerShell cmdlets, and WMI.
IMPORTANT
If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the
management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update
Service, which might be useful as updates arrive at least once a day. To learn more, see synchronize endpoint protection
updates in standalone Windows Server Update Service.
The procedures in this article first describe how to set the order, and then how to set up the File share option if
you have enabled it.
NOTE
For Windows 10, versions 1703 up to and including 1809, the policy path is Windows Components > Windows
Defender Antivirus > Signature Updates For Windows 10, version 1903, the policy path is Windows Components
> Windows Defender Antivirus > Security Intelligence Updates
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource
NOTE
Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Windows Defender Antivirus in Windows 10
Manage the schedule for when protection updates
should be downloaded and applied
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
Specifying the day of the week to check for protection updates
Specifying the interval to check for protection updates
Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads protection updates. See the
Schedule scans topic for more information.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration .
3. Click Policies then Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates
and configure the following settings:
a. Double-click the Specify the inter val to check for security intelligence updates setting and set
the option to Enabled . Enter the number of hours between updates. Click OK .
b. Double-click the Specify the day of the week to check for security intelligence updates setting
and set the option to Enabled . Enter the day of the week to check for updates. Click OK .
c. Double-click the Specify the time to check for security intelligence updates setting and set the
option to Enabled . Enter the time when updates should be checked. The time is based on the local time
of the endpoint. Click OK .
Set-MpPreference -SignatureScheduleDay
Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval
Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage Windows Defender Antivirus updates and
scans for endpoints that are out of date
1/30/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it
can miss before it is required to update and scan itself. This is especially useful in environments where devices
are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC
during that time.
When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and
download the latest protection updates, and run a scan.
Set-MpPreference -SignatureUpdateCatchupInterval
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up protection updates
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureUpdateCatchupInterval
Set up catch-up scans for endpoints that have not been scanned for a
while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus
will force a scan.
The process for enabling this feature is:
1. Set up at least one scheduled scan (see the Schedule scans topic).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
This feature can be enabled for both full and quick scans.
Use Group Policy to enable and configure the catch-up scan feature
1. Ensure you have set up at least one scheduled scan.
2. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
3. In the Group Policy Management Editor go to Computer configuration .
4. Click Policies then Administrative templates .
5. Expand the tree to Windows components > Windows Defender Antivirus > Scan and configure
the following settings:
a. If you have set up scheduled quick scans, double-click the Turn on catch-up quick scan setting and
set the option to Enabled .
b. If you have set up scheduled full scans, double-click the Turn on catch-up full scan setting and set
the option to Enabled . Click OK .
c. Double-click the Define the number of days after which a catch-up scan is forced setting and
set the option to Enabled .
d. Enter the number of scans that can be missed before a scan will be automatically run when the user
next logs on to the PC. The type of scan that is run is determined by the Specify the scan type to
use for a scheduled scan (see the Schedule scans topic). Click OK .
NOTE
The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not
days) before the catch-up scan will be run.
Set-MpPreference -DisableCatchupFullScan
Set-MpPreference -DisableCatchupQuickScan
See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up scans
Use the Set method of the MSFT_MpPreference class for the following properties:
DisableCatchupFullScan
DisableCatchupQuickScan
Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage event-based forced updates
1/30/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain
events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
Set-MpPreference -CheckForSignaturesBeforeRunningScan
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Use Windows Management Instruction (WMI ) to check for protection updates before running a scan
Use the Set method of the MSFT_MpPreference class for the following properties:
CheckForSignaturesBeforeRunningScan
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
For more information, see Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender
cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to download updates when Windows Defender Antivirus is not
present
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureDisableUpdateOnStartupWithoutEngine
NOTE
"Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to
cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
Manage updates for mobile devices and virtual
machines (VMs)
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
Opt-in to Microsoft Update on mobile computers without a WSUS connection
Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
Configuring scheduled and catch-up scans
Manage updates for endpoints that are out of date
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
Related articles
Manage Windows Defender Antivirus updates and apply baselines
Update and manage Windows Defender Antivirus in Windows 10
Customize, initiate, and review the results of Windows
Defender Antivirus scans and remediation
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows
Defender Antivirus scans.
In this section
TO P IC DESC RIP T IO N
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse points,
and archived files (such as .zip files) in scans. You can also
enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do when
it detects a threat, and how long quarantined files should be
retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they should
run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using Microsoft Endpoint
Configuration Manager, Microsoft Intune, or the Windows
Security app
Configure and validate exclusions for Windows
Defender Antivirus scans
3/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
Such exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.
Exclusions for process-opened files only apply to real-time protection.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that
are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
Configure and validate exclusions based on file name, extension, and folder location. This enables you to
exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
Configure and validate exclusions for files opened by processes. This enables you to exclude files from scans
that have been opened by a specific process.
Related articles
Windows Defender Antivirus exclusions on Windows Server 2016
Configure and validate exclusions based on file
extension and folder location
3/31/2020 • 10 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including endpoint detection
and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the
methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the
Microsoft Defender ATP custom indicators.
Exclusion lists
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally, you
shouldn't need to apply exclusions . Windows Defender Antivirus includes a number of automatic exclusions
based on known operating system behaviors and typical management files, such as those used in enterprise
management, database management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft
doesn't set any exclusions by default.
This article describes how to configure exclusion lists for the files and folders.
Any file with a specific extension All files with the specified extension, Extension exclusions
anywhere on the machine.
Valid syntax: .test and test
Any file under a specific folder All files under the c:\test\sample File and folder exclusions
folder
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files
and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions .
4. Double-click the Path Exclusions setting and add the exclusions.
Set the option to Enabled .
Under the Options section, click Show....
Specify each folder on its own line under the Value name column.
If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter,
folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK .
C O N F IGURAT IO N A C T IO N P O W ERSH EL L C M DL ET
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the
.test file extension:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender
cmdlets.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions
Use the Set , Add , and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
The use of Set , Add , and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Use wildcards in the file name and folder path or extension exclusion
lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards
when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted
differs from their usual usage in other apps and languages. Make sure to read this section to understand their
specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT
AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate
multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
W IL DC A RD EXA M P L ES
In file name and file extension inclusions , the asterisk C:\somepath\*\Data would include any file in
replaces any number of characters, and only applies to files in C:\somepath\Archives\Data and its subfolders and
the last folder defined in the argument. C:\somepath\Authorized\Data and its subfolders
In folder exclusions , the asterisk replaces a single folder. Use C:\Serv\*\*\Backup would include any file in
multiple * with folder slashes \ to indicate multiple, nested C:\Serv\Primary\Denied\Backup and its subfolders and
folders. After matching the number of wild carded and named C:\Serv\Secondary\Allowed\Backup and its subfolders
folders, all subfolders are also included.
In file name and file extension inclusions , the question C:\somepath\?\Data would include any file in
mark replaces a single character, and only applies to files in the C:\somepath\P\Data and its subfolders
last folder defined in the argument.
C:\somepath\test0?\Data would include any file in
In folder exclusions , the question mark replaces a single C:\somepath\test01\Data and its subfolders
character in a folder name. After matching the number of wild
carded and named folders, all subfolders are also included.
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the
matched folder, and will not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and
c:\data\review\marked by using the rule argument c:\data\*\marked\date* .
This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked .
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate
lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender
cmdlets.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender
cmdlets.
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and
the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same
as what is described on the EICAR test file website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as
with the Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text
file with the following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Configure exclusions for files opened by processes
3/13/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under a Specifying "c:\test\sample\*" would exclude files opened by:
specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process in Specifying "c:\test\process.exe" would exclude files only opened
a specific folder by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that
process, no matter where the files are located. The process itself, however, will be scanned unless it has also been
added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-
demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app. However,
changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
C O N F IGURAT IO N A C T IO N P O W ERSH EL L C M DL ET
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened
by the specified process:
ExclusionProcess
The use of Set , Add , and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cust
the exclusion is evaluated e.exe omLogFiles\file.exe
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
Get-MpPreference
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related articles
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus exclusions on
Windows Server
3/4/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as
defined by your specified server role. See the list of automatic exclusions (in this article). These exclusions do not
appear in the standard exclusion lists that are shown in the Windows Security app.
NOTE
Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a
Full/Quick or On-demand scan.
In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer
to these articles:
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are
delivered automatically are optimized for Windows Server 2016 and 2019 roles.
Because predefined exclusions only exclude default paths , if you move NTDS and SYSVOL to another drive or
path that is different from the original path, you must add exclusions manually using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto -exclusions list on Windows Server 2016 and 2019
1. On your Group Policy management computer, open the Group Policy Management Console. Right-click the
Group Policy Object you want to configure, and then click Edit .
2. In the Group Policy Management Editor go to Computer configuration , and then click
Administrative templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions .
4. Double-click Turn off Auto Exclusions , and set the option to Enabled . Then click OK .
Use PowerShell cmdlets to disable the auto -exclusions list on Windows Server 2016 and 2019
Use the following cmdlets:
DisableAutoExclusions
%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR) database and working folders. These folders are specified by
the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set
Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files
The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder
This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS-related support files
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP
Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters in
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you
install the DNS Server role.
File and folder exclusions for the DNS Server role
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage
Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions
*.shd
*.spl
Folder exclusions
This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install
the Web Server role.
Folder exclusions
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update
Services (WSUS) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related articles
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus scanning options
2/1/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
P O W ERSH EL L SET-MPPREFERENCE
DEFA ULT SET T IN G ( IF N OT PA RA M ET ER O R W M I P RO P ERT Y
DESC RIP T IO N LO C AT IO N A N D SET T IN G C O N F IGURED) F O R MSFT_MPPREFERENCE C L A SS
See Email scanning limitations) Scan > Turn on e-mail scanning Disabled -DisableEmailScanning
below
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on mapped Disabled -
network drives DisableScanningMappedNetworkDrivesForFullSca
Scan archive files (such as .zip or Scan > Scan archive files Enabled -DisableArchiveScanning
.rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed executables Enabled Not available
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
P O W ERSH EL L SET-MPPREFERENCE
DEFA ULT SET T IN G ( IF N OT PA RA M ET ER O R W M I P RO P ERT Y
DESC RIP T IO N LO C AT IO N A N D SET T IN G C O N F IGURED) F O R MSFT_MPPREFERENCE C L A SS
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a scan. percentage of CPU utilization
Note: This is not a hard limit but during a scan
rather a guidance for the
scanning engine to not exceed
this maximum on average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0 , applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including
those on mounted removable devices such as USB drives.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Configure remediation for Windows Defender
Antivirus scans
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use Microsoft Endpoint
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
DEFA ULT SET T IN G ( IF N OT
LO C AT IO N SET T IN G DESC RIP T IO N C O N F IGURED)
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-
windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure scheduled quick or full Windows Defender
Antivirus scans
1/30/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can
Manage the schedule for when protection updates should be downloaded and applied to override this default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a protection
update or if the endpoint is being used. You can also specify when special scans to complete remediation should
occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can
also configure schedules scans with Microsoft Endpoint Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK , and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow users to
locally modify policy settings topics.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event
1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next
scheduled time.
Scan Specify the day of the week Specify the day (or never) to Never
to run a scheduled scan run a scan.
Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Start the scheduled scan Scheduled scans will not run, Enabled
only when computer is on unless the computer is on
but not in use but not in use
Set-MpPreference -ScanOnlyIfIdleEnabled
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Remediation Specify the day of the week Specify the day (or never) to Never
to run a scheduled full scan run a scan.
to complete remediation
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For example,
to run every two hours,
enter 2 , for once a day, enter
24 . Enter 0 to never run a
daily quick scan.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Signature updates Turn on scan after Security A scan will occur immediately Enabled
intelligence update after a new protection
update is downloaded
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
Configure and run on-demand Windows Defender
Antivirus scans
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define
parameters for the scan, such as the location or type.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more
information on how to use the tool and additional parameters, including starting a full scan or defining paths.
Start-MpScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related articles
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Review Windows Defender Antivirus scan results
2/5/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results are
recorded and you can view the results.
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean
of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're
using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Over view >
Security > Endpoint Protection Status > System Center Endpoint Protection Status .
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required .
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:
Start-MpWDOScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
Related articles
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
Restore quarantined files in Windows Defender AV
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security .
2. Click Virus & threat protection and then click Threat Histor y .
3. Under Quarantined threats , click See full histor y .
4. Click an item you want to keep, then click Restore . (If you prefer to remove the item, you can click Remove .)
NOTE
You can also use the dedicated command-line tool mpcmdrun.exe to restore quarantined files in Windows Defender AV.
Related articles
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Manage Windows Defender Antivirus in your business
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The mpcmdrun.exe utility
The articles in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
A RT IC L E DESC RIP T IO N
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and Configuration Manager to
and Microsoft Endpoint Configuration Manager deploy, manage, report, and configure Windows Defender
Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell cmdlets Instructions for using PowerShell cmdlets to manage Windows
Defender Antivirus, plus links to documentation for all cmdlets
and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the mpcmdrun.exe Instructions on using the dedicated command-line tool to
command-line tool manage and use Windows Defender Antivirus
Use Group Policy settings to configure and manage
Windows Defender Antivirus
11/20/2019 • 9 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO) you want to configure and click Edit .
2. Using the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus .
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides
links to the appropriate topic in this documentation library (where applicable).
LO C AT IO N SET T IN G A RT IC L E
Client interface Enable headless UI mode Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine folder policy settings
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity
Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to be Defender Antivirus always-on protection
scanned and monitoring
LO C AT IO N SET T IN G A RT IC L E
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on protection
and monitoring
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on protection
and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on protection
and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on protection
and monitoring
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on protection
and monitoring
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation
Remediation Specify the day of the week to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Remediation Specify the time of day to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any
installed third-party antivirus apps work
correctly)
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Allow users to pause scan Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which a Manage updates for endpoints that are
catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
LO C AT IO N SET T IN G A RT IC L E
Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Run full scan on mapped network drives Configure scanning options in Windows
Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum size of archive files Configure scanning options in Windows
to be scanned Defender Antivirus
LO C AT IO N SET T IN G A RT IC L E
Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow security intelligence updates from Manage updates for mobile devices and
Microsoft Update virtual machines (VMs)
Security intelligence updates Allow security intelligence updates when Manage updates for mobile devices and
running on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable definitions- Manage event-based forced updates
based reports to Microsoft MAPS
Security intelligence updates Allow real-time security intelligence Manage event-based forced updates
updates based on reports to Microsoft
MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
security intelligence updates protection and security intelligence
updates
Security intelligence updates Define the number of days after which a Manage updates for endpoints that are
catch up security intelligence update is out of date
required
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading security intelligence protection and security intelligence
updates updates
LO C AT IO N SET T IN G A RT IC L E
Security intelligence updates Initiate security intelligence update on Manage event-based forced updates
startup
Security intelligence updates Specify the day of the week to check for Manage when protection updates
security intelligence updates should be downloaded and applied
Security intelligence updates Specify the interval to check for security Manage when protection updates
intelligence updates should be downloaded and applied
Security intelligence updates Specify the time to check for security Manage when protection updates
intelligence updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken when Defender Antivirus scans
detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Microsoft Endpoint Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by
Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use PowerShell cmdlets to configure and manage
Windows Defender Antivirus
2/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or
command line, PowerShell is a task-based command-line shell and scripting language designed especially for
system administration. You can read more about it at the PowerShell hub on MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface
(GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as
Microsoft Endpoint Configuration Manager, Group Policy Management Console, or Windows Defender Antivirus Group Policy
ADMX templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made.
This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft
Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell .
NOTE
You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click Run as administrator
and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Windows Management Instrumentation (WMI) to
configure and manage Windows Defender Antivirus
1/29/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender PowerShell
cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft
Intune can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
3/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the
utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe . You must run it from a command prompt.
NOTE
You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.
If you're running an updated Windows Defender Platform version, please run MpCmdRun from the following location:
C:\ProgramData\Microsoft\Windows Defender\Platform\<version> .
Here's an example:
MpCmdRun.exe -scan -2
-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [- Scans for malicious software. Values for ScanType are: 0
DisableRemediation] [-BootSectorScan] [- Default, according to your configuration, -1 Quick scan, -2
CpuThrottling]] [-Timeout <days>] [-Cancel]
Full scan, -3 File and directory custom scan.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Customize, initiate, and review the results of
Windows Defender Antivirus scans and remediation
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows
Defender Antivirus scans.
In this section
TO P IC DESC RIP T IO N
Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning
Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse
points, and archived files (such as .zip files) in scans. You can
also enable network file scanning
Configure remediation for scans Configure what Windows Defender Antivirus should do when
it detects a threat, and how long quarantined files should be
retained in the quarantine folder
Configure scheduled scans Set up recurring (scheduled) scans, including when they
should run and whether they run as full or quick scans
Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app
Review scan results Review the results of scans using Microsoft Endpoint
Configuration Manager, Microsoft Intune, or the Windows
Security app
Configure and validate exclusions for Windows
Defender Antivirus scans
3/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus
scans. Such exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and
monitoring. Exclusions for process-opened files only apply to real-time protection.
WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not
malicious.
Configure and validate exclusions based on file name, extension, and folder location. This enables you to
exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
Configure and validate exclusions for files opened by processes. This enables you to exclude files from
scans that have been opened by a specific process.
Related articles
Windows Defender Antivirus exclusions on Windows Server 2016
Configure and validate exclusions based on file
extension and folder location
3/31/2020 • 10 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including endpoint
detection and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude
using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add
them to the Microsoft Defender ATP custom indicators.
Exclusion lists
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally,
you shouldn't need to apply exclusions . Windows Defender Antivirus includes a number of automatic
exclusions based on known operating system behaviors and typical management files, such as those used in
enterprise management, database management, and other enterprise scenarios and situations.
NOTE
Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at
Microsoft doesn't set any exclusions by default.
This article describes how to configure exclusion lists for the files and folders.
Any file with a specific extension All files with the specified extension, Extension exclusions
anywhere on the machine.
Valid syntax: .test and test
Any file under a specific folder All files under the c:\test\sample File and folder exclusions
folder
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
To exclude files opened by a specific process, see Configure and validate exclusions for files opened by
processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files
and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions .
4. Double-click the Path Exclusions setting and add the exclusions.
Set the option to Enabled .
Under the Options section, click Show....
Specify each folder on its own line under the Value name column.
If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter,
folder path, filename, and extension. Enter 0 in the Value column.
5. Click OK .
C O N F IGURAT IO N A C T IO N P O W ERSH EL L C M DL ET
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the
.test file extension:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions
Use the Set , Add , and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
The use of Set , Add , and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Use wildcards in the file name and folder path or extension exclusion
lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as
wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are
interpreted differs from their usual usage in other apps and languages. Make sure to read this section to
understand their specific limitations.
IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT
AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate
multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
W IL DC A RD EXA M P L ES
In file name and file extension inclusions , the asterisk C:\somepath\*\Data would include any file in
replaces any number of characters, and only applies to files C:\somepath\Archives\Data and its subfolders and
in the last folder defined in the argument. C:\somepath\Authorized\Data and its subfolders
In folder exclusions , the asterisk replaces a single folder. C:\Serv\*\*\Backup would include any file in
Use multiple * with folder slashes \ to indicate multiple, C:\Serv\Primary\Denied\Backup and its subfolders
nested folders. After matching the number of wild carded and
and named folders, all subfolders are also included. C:\Serv\Secondary\Allowed\Backup and its subfolders
In file name and file extension inclusions , the question C:\somepath\?\Data would include any file in
mark replaces a single character, and only applies to files in C:\somepath\P\Data and its subfolders
the last folder defined in the argument.
C:\somepath\test0?\Data would include any file in
In folder exclusions , the question mark replaces a single C:\somepath\test01\Data and its subfolders
character in a folder name. After matching the number of
wild carded and named folders, all subfolders are also
included.
IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the
matched folder, and will not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and
c:\data\review\marked by using the rule argument c:\data\*\marked\date* .
This argument, however, will not match any files in subfolders under c:\data\final\marked or
c:\data\review\marked .
IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on
separate lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware,
and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are
the same as what is described on the EICAR test file website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file -
as with the Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new
text file with the following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.
Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Configure exclusions for files opened by processes
3/13/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe
Any file on the machine that is opened by any process under Specifying "c:\test\sample\*" would exclude files opened by:
a specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe
Any file on the machine that is opened by a specific process Specifying "c:\test\process.exe" would exclude files only
in a specific folder opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by
that process, no matter where the files are located. The process itself, however, will be scanned unless it has also
been added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or
on-demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration
Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize
the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made
with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.
Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:
C O N F IGURAT IO N A C T IO N P O W ERSH EL L C M DL ET
IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:
ExclusionProcess
The use of Set , Add , and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .
Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cus
the exclusion is evaluated e.exe tomLogFiles\file.exe
NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.
Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
Get-MpPreference
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related articles
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus exclusions
on Windows Server
3/4/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions,
as defined by your specified server role. See the list of automatic exclusions (in this article). These exclusions do
not appear in the standard exclusion lists that are shown in the Windows Security app.
NOTE
Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a
Full/Quick or On-demand scan.
In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that,
refer to these articles:
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are
delivered automatically are optimized for Windows Server 2016 and 2019 roles.
Because predefined exclusions only exclude default paths , if you move NTDS and SYSVOL to another drive or
path that is different from the original path, you must add exclusions manually using the information here .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto -exclusions list on Windows Server 2016 and 2019
1. On your Group Policy management computer, open the Group Policy Management Console. Right-click
the Group Policy Object you want to configure, and then click Edit .
2. In the Group Policy Management Editor go to Computer configuration , and then click
Administrative templates .
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions .
4. Double-click Turn off Auto Exclusions , and set the option to Enabled . Then click OK .
Use PowerShell cmdlets to disable the auto -exclusions list on Windows Server 2016 and 2019
Use the following cmdlets:
DisableAutoExclusions
%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set
Stage
%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR) database and working folders. These folders are specified
by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica
Set Configuration File
NOTE
For custom locations, see Opt out of automatic exclusions.
%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files
The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder
This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS-related support files
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The
DHCP Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath
parameters in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when
you install the DNS Server role.
File and folder exclusions for the DNS Server role
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and
Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions
*.shd
*.spl
Folder exclusions
This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory
%system32%\spool\printers\*
Process exclusions
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you
install the Web Server role.
Folder exclusions
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server
Update Services (WSUS) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup
%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download
Related articles
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure Windows Defender Antivirus scanning options
2/1/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
P O W ERSH EL L SET-MPPREFERENCE
PA RA M ET ER O R W M I
DEFA ULT SET T IN G ( IF N OT P RO P ERT Y F O R MSFT_MPPREFERENCE
DESC RIP T IO N LO C AT IO N A N D SET T IN G C O N F IGURED) C L A SS
See Email scanning limitations) Scan > Turn on e-mail scanning Disabled -DisableEmailScanning
below
Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning
Scan mapped network drives Scan > Run full scan on Disabled -
mapped network drives DisableScanningMappedNetworkDrivesForFullS
Scan archive files (such as .zip Scan > Scan archive files Enabled -DisableArchiveScanning
or .rar files). The extensions
exclusion list will take
precedence over this setting.
Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles
Scan packed executables Scan > Scan packed Enabled Not available
executables
Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning
P O W ERSH EL L SET-MPPREFERENCE
PA RA M ET ER O R W M I
DEFA ULT SET T IN G ( IF N OT P RO P ERT Y F O R MSFT_MPPREFERENCE
DESC RIP T IO N LO C AT IO N A N D SET T IN G C O N F IGURED) C L A SS
Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a percentage of CPU utilization
scan. Note: This is not a hard during a scan
limit but rather a guidance for
the scanning engine to not
exceed this maximum on
average.
Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0 , applies no limit
Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans
NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files,
including those on mounted removable devices such as USB drives.
Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Configure remediation for Windows Defender
Antivirus scans
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use Microsoft Endpoint
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
DEFA ULT SET T IN G ( IF N OT
LO C AT IO N SET T IN G DESC RIP T IO N C O N F IGURED)
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-
windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure remediation for Windows Defender
Antivirus scans
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You
can configure how Windows Defender Antivirus should react to certain threats, whether it should create a
restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use Microsoft Endpoint
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.
Root Turn off routine You can specify whether Disabled (threats are
remediation Windows Defender remediated automatically)
Antivirus automatically
remediates threats, or if it
should ask the endpoint
user what to do.
DEFA ULT SET T IN G ( IF N OT
LO C AT IO N SET T IN G DESC RIP T IO N C O N F IGURED)
Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed
Threats Specify threat alert levels at Every threat that is Not applicable
which default action should detected by Windows
not be taken when Defender Antivirus is
detected assigned a threat level (low,
medium, high, or severe).
You can use this setting to
define how all threats for
each of the threat levels
should be remediated
(quarantined, removed, or
ignored)
Threats Specify threats upon which Specify how specific threats Not applicable
default action should not (using their threat ID)
be taken when detected should be remediated. You
can specify whether the
specific threat should be
quarantined, removed, or
ignored
IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to
ensure all additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-
files-windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more
remediation-related settings.
Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
Configure scheduled quick or full Windows
Defender Antivirus scans
1/30/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans.
You can Manage the schedule for when protection updates should be downloaded and applied to override this
default.
In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled
scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a
protection update or if the endpoint is being used. You can also specify when special scans to complete
remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI.
You can also configure schedules scans with Microsoft Endpoint Configuration Manager or Microsoft
Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-
click the Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus and then the
Location specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK , and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow
users to locally modify policy settings topics.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with
event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan
at the next scheduled time.
Scan Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
scan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Start the scheduled scan Scheduled scans will not Enabled
only when computer is on run, unless the computer
but not in use is on but not in use
Set-MpPreference -ScanOnlyIfIdleEnabled
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Remediation Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
full scan to complete
remediation
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI):
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For
example, to run every two
hours, enter 2 , for once a
day, enter 24 . Enter 0 to
never run a daily quick
scan.
DEFA ULT SET T IN G ( IF N OT
LO C AT IO N SET T IN G DESC RIP T IO N C O N F IGURED)
Set-MpPreference -ScanScheduleQuickTime
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
Signature updates Turn on scan after Security A scan will occur Enabled
intelligence update immediately after a new
protection update is
downloaded
Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
Configure and run on-demand Windows Defender
Antivirus scans
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can
define parameters for the scan, such as the location or type.
NOTE
By default, quick scans run on mounted removable devices, such as USB drives.
See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for
more information on how to use the tool and additional parameters, including starting a full scan or defining
paths.
Start-MpScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Related articles
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
Review Windows Defender Antivirus scan results
2/5/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.
Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:
Get-MpThreat
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean
of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.
NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.
See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.
Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're
using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
The user will also be notified within the Windows Defender client:
In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Over view >
Security > Endpoint Protection Status > System Center Endpoint Protection Status .
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required .
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.
Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:
Start-MpWDOScan
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.
Related articles
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
Restore quarantined files in Windows Defender AV
11/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security .
2. Click Virus & threat protection and then click Threat Histor y .
3. Under Quarantined threats , click See full histor y .
4. Click an item you want to keep, then click Restore . (If you prefer to remove the item, you can click Remove .)
NOTE
You can also use the dedicated command-line tool mpcmdrun.exe to restore quarantined files in Windows Defender AV.
Related articles
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
What to do with false positives/negatives in Windows
Defender Antivirus
3/11/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With
Windows Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats
like viruses, malware and spyware across email, apps, the cloud, and the web.
But what if something gets detected wrongly as malware, or something is missed? We call these false positives and
false negatives. Fortunately, there are some steps you can take to deal with these things. You can:
Submit a file to Microsoft for analysis;
Create an "Allow" indicator to prevent a false positive from recurring; or
Define an exclusion on an individual Windows device to prevent an item from being scanned by Windows
Defender Antivirus.
TIP
We recommend signing in at the submission portal so you can track the results of your submissions.
File type File extension All files with the specified extension
Example: .test anywhere on your device are skipped by
Windows Defender Antivirus.
Process Executable file path The specified process and any files that
Example: c:\test\process.exe are opened by that process are skipped
by Windows Defender Antivirus.
Related articles
What is Microsoft Defender Advanced Threat Protection?
Microsoft Threat Protection
Manage Windows Defender Antivirus in your
business
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The mpcmdrun.exe utility
The articles in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.
In this section
A RT IC L E DESC RIP T IO N
Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and Configuration Manager
and Microsoft Endpoint Configuration Manager to deploy, manage, report, and configure Windows Defender
Antivirus
Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings
Manage Windows Defender Antivirus with PowerShell Instructions for using PowerShell cmdlets to manage
cmdlets Windows Defender Antivirus, plus links to documentation for
all cmdlets and allowed parameters
Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)
Manage Windows Defender Antivirus with the Instructions on using the dedicated command-line tool to
mpcmdrun.exe command-line tool manage and use Windows Defender Antivirus
Use Microsoft Endpoint Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
1/30/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.
Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use Group Policy settings to configure and manage
Windows Defender Antivirus
11/20/2019 • 9 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO) you want to configure and click Edit .
2. Using the Group Policy Management Editor go to Computer configuration .
3. Click Administrative templates .
4. Expand the tree to Windows components > Windows Defender Antivirus .
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides
links to the appropriate topic in this documentation library (where applicable).
LO C AT IO N SET T IN G A RT IC L E
Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints
Client interface Suppress all notifications Configure the notifications that appear
on endpoints
Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints
MAPS Configure the 'Block at First Sight' Enable block at first sight
feature
MAPS Send file samples when further analysis Enable cloud-delivered protection
is required
MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings
MpEngine Configure extended cloud check Configure the cloud block timeout
period
Network inspection system Specify additional definition sets for Not used
network traffic inspection
Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine policy settings
folder
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer
Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity
Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments
Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings
Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
LO C AT IO N SET T IN G A RT IC L E
Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to Defender Antivirus always-on
be scanned protection and monitoring
Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on
protection and monitoring
Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on
protection and monitoring
Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on
protection and monitoring
Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on
protection and monitoring
Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on
protection and monitoring
Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on
protection and monitoring
Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation
Remediation Specify the day of the week to run a Configure scheduled Windows
scheduled full scan to complete Defender Antivirus scans
remediation
Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints
Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any
installed third-party antivirus apps
work correctly)
Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings
Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus
Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan
Scan Define the number of days after which Manage updates for endpoints that are
a catch-up scan is forced out of date
Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
LO C AT IO N SET T IN G A RT IC L E
Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings
Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings
Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings
Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans
Scan Run full scan on mapped network Configure scanning options in Windows
drives Defender Antivirus
Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus
Scan Specify the maximum size of archive Configure scanning options in Windows
files to be scanned Defender Antivirus
Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus
Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus
Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus
Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus
Security intelligence updates Allow security intelligence updates from Manage updates for mobile devices and
Microsoft Update virtual machines (VMs)
Security intelligence updates Allow security intelligence updates Manage updates for mobile devices and
when running on battery power virtual machines (VMs)
Security intelligence updates Allow notifications to disable Manage event-based forced updates
definitions-based reports to Microsoft
MAPS
Security intelligence updates Allow real-time security intelligence Manage event-based forced updates
updates based on reports to Microsoft
MAPS
Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup
Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
security intelligence updates protection and security intelligence
updates
Security intelligence updates Define the number of days after which Manage updates for endpoints that are
a catch up security intelligence update out of date
is required
Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date
Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
LO C AT IO N SET T IN G A RT IC L E
Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading security intelligence protection and security intelligence
updates updates
Security intelligence updates Initiate security intelligence update on Manage event-based forced updates
startup
Security intelligence updates Specify the day of the week to check for Manage when protection updates
security intelligence updates should be downloaded and applied
Security intelligence updates Specify the interval to check for security Manage when protection updates
intelligence updates should be downloaded and applied
Security intelligence updates Specify the time to check for security Manage when protection updates
intelligence updates should be downloaded and applied
Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus
Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken Defender Antivirus scans
when detected
Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected
Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Use PowerShell cmdlets to configure and
manage Windows Defender Antivirus
2/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use PowerShell to perform various functions in Windows Defender. Similar to the command
prompt or command line, PowerShell is a task-based command-line shell and scripting language
designed especially for system administration. You can read more about it at the PowerShell hub on
MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user
interface (GUI) to configure software.
NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure,
such as Microsoft Endpoint Configuration Manager, Group Policy Management Console, or Windows Defender
Antivirus Group Policy ADMX templates.
Changes made with PowerShell will affect local settings on the endpoint where the changes are
deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint
Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell .
NOTE
You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click Run as
administrator and click Yes at the permissions prompt.
To open online help for any of the cmdlets type the following:
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender PowerShell
cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft
Intune can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
3/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe. This utility is useful when you want to automate Windows Defender Antivirus use. You can find
the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe . You must run it from a command prompt.
NOTE
You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu,
click Run as administrator and click Yes at the permissions prompt.
If you're running an updated Windows Defender Platform version, please run MpCmdRun from the following location:
C:\ProgramData\Microsoft\Windows Defender\Platform\<version> .
Here's an example:
MpCmdRun.exe -scan -2
-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [- Scans for malicious software. Values for ScanType are: 0
DisableRemediation] [-BootSectorScan] [- Default, according to your configuration, -1 Quick scan, -2
CpuThrottling]] [-Timeout <days>] [-Cancel]
Full scan, -3 File and directory custom scan.
Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
Better together: Windows Defender Antivirus and
Microsoft Defender Advanced Threat Protection
3/4/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat
Protection (Microsoft Defender ATP).
Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to
using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus
an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such
as endpoint detection and response and automated investigation and remediation, you get better protection that's
coordinated across products and services.
4 Details about blocked malware More details and actions for blocked
malware are available with Windows
Defender Antivirus and Microsoft
Defender ATP. Understand malware &
other threats.
A DVA N TA GE W H Y IT M AT T ERS
Learn more
Microsoft Defender Advanced Threat Protection
Threat & Vulnerability Management
Better together: Windows Defender Antivirus and
Office 365
3/4/2020 • 2 minutes to read • Edit Online
Applies to:
Windows Defender Antivirus
Office 365
You might already know that:
Windows Defender Antivirus protects your Windows 10 device from software threats, such as
viruses, malware, and spyware . Windows Defender Antivirus is your complete, ongoing protection, built
into Windows 10 and ready to go. Windows Defender Antivirus is your next-generation protection.
Office 365 includes antiphishing, antispam, and antimalware protection . With your Office 365
subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and
advanced security across all your devices. This is true for home and business users. And if you're a business
user, and your organization is using Office 365 E5, you get even more protection through Office 365
Advanced Threat Protection. Protect against threats with Office 365.
OneDrive, included in Office 365, enables you to store your files and folders online, and share
them as you see fit . You can work together with people (for work or fun), and coauthor files that are
stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet).
Manage sharing in OneDrive.
But did you know there are good security reasons to use Windows Defender Antivirus together with
Office 365 ? Here are two:
1. You get ransomware protection and recovery.
2. Integration means better protection.
Read the following sections to learn more.
This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
Cau t i on
Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to
lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an
absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR
functionality after configuring MDATP for Mac antivirus functionality to run in Passive mode.
TIP
If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your
device and navigating to Help > Send feedback .
To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac
machines), configure your macOS machine running Microsoft Defender ATP to be an "Insider" machine. See
Enable Microsoft Defender ATP Insider Machine.
SERVIC E LO C AT IO N DN S REC O RD
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Proxy auto-config (PAC)
Web Proxy Auto-discovery Protocol (WPAD)
Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the
previously listed URLs.
WARNING
Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL
inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs
without interception. Adding your interception certificate to the global store will not allow for interception.
OK https://cdn.x.cp.wd.microsoft.com/ping
Cau t i on
We recommend that you keep System Integrity Protection (SIP) enabled on client machines. SIP is a built-in
macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in
Terminal:
$ mdatp --connectivity-test
Resources
For more information about logging, uninstalling, or other topics, see the Resources page.
Privacy for Microsoft Defender ATP for Mac
What's new in Microsoft Defender Advanced Threat
Protection for Mac
4/2/2020 • 2 minutes to read • Edit Online
NOTE
In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system
extensions instead of kernel extensions.
In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing Legacy System Extension
warning to signal applications that rely on kernel extensions.
If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be
presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be
presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel
extension. Refer to the instructions in the JAMF-based deployment and Microsoft Intune-based deployment topics.
100.90.27
You can now set an update channel for Microsoft Defender ATP for Mac that is different from the system-wide
update channel
New product icon
Other user experience improvements
Bug fixes
100.86.92
Improvements around compatibility with Time Machine
Addressed an issue where the product was sometimes not cleaning all files under
/Library/Application Support/Microsoft/Defender during uninstallation
Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft
AutoUpdate
Other performance improvements & bug fixes
100.86.91
Cau t i on
To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of
macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates
will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered
to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS
version to eliminate risks of losing protection.
Performance improvements & bug fixes
100.83.73
Added more controls for IT administrators around management of exclusions, management of threat type
settings, and disallowed threat actions
When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
Performance improvements & bug fixes
100.82.60
Addressed an issue where the product fails to start following a definition update.
100.80.42
Bug fixes
100.79.42
Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
Added a new switch to the command-line utility for testing the connectivity with the backend service
$ mdatp --connectivity-test
Added ability to view the full threat history in the user interface (can be accessed from the Protection histor y
view)
Performance improvements & bug fixes
100.72.15
Bug fixes
100.70.99
Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time
protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina
upgrade package while scanning them for threats, which led to failures in the upgrade sequence.
100.68.99
Added the ability to configure the antivirus functionality to run in passive mode
Performance improvements & bug fixes
100.65.28
Added support for macOS Catalina
Cau t i on
macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by
default, applications are not able to access certain locations on disk (such as Documents, Downloads,
Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to
fully protect your device.
The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
For manual deployments, see the updated instructions in the Manual deployment topic.
For managed deployments, see the updated instructions in the JAMF-based deployment and Microsoft
Intune-based deployment topics.
Performance improvements & bug fixes
Intune-based deployment for Microsoft Defender
ATP for Mac
2/7/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment
requires the completion of all of the following steps:
Download installation and onboarding packages
Client device setup
Create System Configuration profiles
Publish application
$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
$ chmod +x IntuneAppUtil
Select Open System Preferences , locate Management Profile on the list, and select Approve.... Your
Management Profile would be displayed as Verified :
5. Select Manage > Assignments . In the Include tab, select Assign to All Users & All devices .
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
Cau t i on
macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by
default, applications are not able to access certain locations on disk (such as Documents, Downloads,
Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to
fully protect your device.
The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously
configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this
configuration profile.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.wdav" and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*
exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Comment</key>
<string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
<key>Identifier</key>
<string>com.microsoft.wdav</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import
the following .mobileconfig as a custom payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
10. Select Manage > Assignments . In the Include tab, select Assign to All Users & All devices .
Once the Intune changes are propagated to the enrolled devices, you can see them listed under Monitor >
Device status :
Publish application
1. In Intune, open the Manage > Client apps blade. Select Apps > Add .
2. Select App type=Other/Line-of-business app .
3. Select file=wdav.pkg.intunemac . Select OK to upload.
4. Select Configure and add the required information.
5. Use macOS High Sierra 10.13 as the minimum OS.
6. Set Ignore app version to Yes . Other settings can be any arbitrary value.
Cau t i on
Setting Ignore app version to No impacts the ability of the application to receive updates through Microsoft
AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower
version will be installed, effectively downgrading Defender. This could result in a non-functioning
application. See Deploy updates for Microsoft Defender ATP for Mac for additional information about how
the product is updated. If you deployed Defender with Ignore app version set to No , please change it to Yes .
If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
7. Select OK and Add .
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to
Assignments and Add group .
in Intune:
3. You should also see the Microsoft Defender icon in the top-right corner:
Troubleshooting
Issue: No license found
Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml
Uninstallation
See Uninstalling for details on how to remove Microsoft Defender ATP for Mac from client devices.
JAMF-based deployment for Microsoft Defender ATP
for Mac
4/6/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment
requires the completion of all of the following steps:
Download installation and onboarding packages
Create JAMF policies
Client device setup
Deployment
Check onboarding status
NOTE
Jamf falls under Mobile Device Management .
4. In Section 2 of the page, select Download installation package . Save it as wdav.pkg to a local directory.
5. In Section 2 of the page, select Download onboarding package . Save it as
WindowsDefenderATPOnboardingPackage.zip to the same directory.
6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
$ ls -l
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default,
applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without
explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following
configuration.
Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP.
1. Select Options > Privacy Preferences Policy Control .
2. Use any identifier and identifier type = Bundle.
3. Set Code Requirement to
identifier "com.microsoft.wdav" and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*
exists */ and certificate leaf[subject.OU] = UBF8T346G9
.
4. Set app or service to SystemPolicyAllFiles and access to Allow.
Package
1. Create a package in Settings > Computer Management > Packages .
NOTE
After a computer is enrolled, it will show up in the Computers inventory (All Computers).
Open Device Profiles , from the General tab, and make sure that User Approved MDM is set to Yes . If
it's currently set to No, the user needs to open System Preferences > Profiles and select Approve on
the MDM Profile.
After a moment, the device's User Approved MDM status will change to Yes .
You may now enroll additional devices. You may also enroll them later, after you have finished provisioning
system configuration and application packages.
Deployment
Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon
as they are detected.
Status on the server
You can monitor deployment status in the Logs tab:
Pending means that the deployment is scheduled but has not yet happened
Completed means that the deployment succeeded and is no longer scheduled
Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right
corner.
You can monitor policy installation on a device by following the JAMF log file:
$ tail -f /var/log/jamf.log
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for
user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
$ mdatp --health
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
...
The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through echo $? ) indicates the problem:
0 if the device is not yet onboarded
3 if the connection to the daemon cannot be established—for example, if the daemon is not running
Uninstallation
This method is based on the script described in Uninstalling.
Script
Create a script in Settings > Computer Management > Scripts .
This script removes Microsoft Defender ATP from the /Applications directory:
#!/bin/bash
echo "Done!"
Policy
Your policy should contain a single script:
Configure the appropriate scope in the Scope tab to specify the machines that will receive this policy.
Deployment with a different Mobile Device
Management (MDM) system for Microsoft Defender
ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
Approach
Cau t i on
Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft
Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided
below.
If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does
not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM
solution that supports the following features:
Deploy a macOS .pkg to managed machines.
Deploy macOS system configuration profiles to managed machines.
Run an arbitrary admin-configured tool/script on managed machines.
Most modern MDM solutions include these features, however, they may call them differently.
You can deploy Defender without the last requirement from the preceding list, however:
You will not be able to collect status in a centralized way
If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator
Deployment
Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use JAMF-
based deployment as a template.
Package
Configure deployment of a required application package, with the installation package (wdav.pkg) downloaded
from Microsoft Defender Security Center.
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
License settings
Set up a system configuration profile. Your MDM solution may call it something like "Custom Settings Profile", as
Microsoft Defender ATP for Mac is not part of macOS.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding
package downloaded from Microsoft Defender Security Center. Your system may support an arbitrary property list
in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. Alternatively,
it may require you to convert the property list to a different format first.
Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp"
for this value. MDM uses it to deploy the settings file to /Librar y/Managed
Preferences/com.microsoft.wdav.atp.plist on a client machine, and Defender uses this file for loading the
onboarding information.
Kernel extension policy
Set up a KEXT or kernel extension policy. Use team identifier UBF8T346G9 to whitelist kernel extensions provided
by Microsoft.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires
the completion of all of the following steps:
Download installation and onboarding packages
Application installation
Client configuration
$ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
Application installation
To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
2. Select Continue , agree with the License terms, and enter the password when prompted.
IMPORTANT
You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or
"Installation is on hold" or both. The driver must be allowed to be installed.
3. Select Open Security Preferences or Open System Preferences > Security & Privacy . Select Allow :
The installation proceeds.
Cau t i on
If you don't select Allow , the installation will proceed after 5 minutes. Defender ATP will be loaded, but some
features, such as real-time protection, will be disabled. See Troubleshoot kernel extension issues for information on
how to resolve this.
NOTE
macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be
available until the machine is rebooted.
Client configuration
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft
Defender ATP for Mac.
The client machine is not associated with orgId. Note that the orgId attribute is blank.
3. Verify that the machine is now associated with your organization and reports a valid orgId:
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default,
applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without
explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon
to make changes (bottom of the dialog box). Select Microsoft Defender ATP.
Uninstallation
See Uninstalling for details on how to remove Microsoft Defender ATP for Mac from client devices.
Deploy updates for Microsoft Defender ATP for Mac
3/24/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default,
MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually
check for software updates. You can deploy preferences to configure how and when MAU checks for updates for
the Macs in your organization.
Use msupdate
MAU includes a command-line tool, called msupdate, that is designed for IT administrators so that they have more
precise control over when updates are applied. Instructions for how to use this tool can be found in Update Office
for Mac by using msupdate.
In MAU, the application identifier for Microsoft Defender ATP for Mac is WDAV00. To download and install the
latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
./msupdate --install --apps wdav00
TIP
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your
enterprise to InsiderFast or External .
Domain com.microsoft.autoupdate2
Key ChannelName
WARNING
This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel
only for Microsoft Defender ATP for Mac, execute the following command after replacing [channel-name] with the desired
channel:
Domain com.microsoft.autoupdate2
Key UpdateCheckFrequency
Domain com.microsoft.autoupdate2
Key HowToCheck
Domain com.microsoft.autoupdate2
Key EnableCheckForUpdatesButton
Domain com.microsoft.autoupdate2
Key DisableInsiderCheckbox
Key SendAllTelemetryEnabled
Intune
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>B762FF60-6ACB-4A72-9E72-459D00C936F3</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadDisplayName</key>
<string>Microsoft AutoUpdate settings</string>
<key>PayloadDescription</key>
<string>Microsoft AutoUpdate configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>5A6F350A-CC2C-440B-A074-68E3F34EBAE9</string>
<key>PayloadType</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadDisplayName</key>
<string>Microsoft AutoUpdate configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>ChannelName</key>
<string>InsiderFast</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>DisableInsiderCheckbox</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</array>
</dict>
</plist>
To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is
using:
From JAMF, upload this configuration profile and set the Preference Domain to com.microsoft.autoupdate2.
From Intune, upload this configuration profile and set the custom configuration profile name to
com.microsoft.autoupdate2.
Resources
msupdate reference
Configure and validate exclusions for Microsoft
Defender ATP for Mac
4/3/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This article provides information on how to define exclusions that apply to on-demand scans, and real-time
protection and monitoring.
IMPORTANT
The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint
detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts
and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac
scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac.
WARNING
Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
Select the type of exclusion that you wish to add and follow the prompts.
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware,
and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are
the same as what is described on the EICAR test file website.
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file
with the following Bash command:
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.
Set preferences for Microsoft Defender ATP for Mac
4/8/2020 • 10 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
IMPORTANT
This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations.
To configure Microsoft Defender ATP for Mac using the command-line interface, see Resources.
Summary
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that
is deployed by using one of several management tools. Preferences that are managed by your security operations
team take precedence over preferences that are set locally on the device. Users in your organization are not able to
change preferences that are set through the configuration profile.
This article describes the structure of the configuration profile, includes a recommended profile that you can use
to get started, and provides instructions on how to deploy the profile.
The layout of the configuration profile depends on the management console that you are using. The following
sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft
Defender ATP, which are explained in more detail in the next sections.
Antivirus engine preferences
The antivirusEngine section of the configuration profile is used to manage the preferences of the antivirus
component of Microsoft Defender ATP.
Domain com.microsoft.wdav
Key antivirusEngine
Key enableRealTimeProtection
Domain com.microsoft.wdav
Key passiveMode
Domain com.microsoft.wdav
Key exclusionsMergePolicy
Scan exclusions
Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
Domain com.microsoft.wdav
Key exclusions
T y p e o f e x c l u si o n
Domain com.microsoft.wdav
Key $type
Domain com.microsoft.wdav
Key path
P a t h t y p e (fi l e / d i r e c t o r y )
Domain com.microsoft.wdav
Key isDirectory
F i l e e x t e n si o n e x c l u d e d fr o m t h e sc a n
Specify content excluded from being scanned by file extension.
Domain com.microsoft.wdav
Key extension
P r o c e ss e x c l u d e d fr o m t h e sc a n
Specify a process for which all file activity is excluded from scanning. The process can be specified either by its
name (e.g. cat ) or full path (e.g. /bin/cat ).
Domain com.microsoft.wdav
Key name
Allowed threats
Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. These threats will be allowed to
run.
Domain com.microsoft.wdav
Key allowedThreats
Domain com.microsoft.wdav
Key disallowedThreatActions
Domain com.microsoft.wdav
Key threatTypeSettings
T h r eat t ype
Domain com.microsoft.wdav
Key key
A c t ion t o t ake
Specify what action to take when a threat of the type specified in the preceding section is detected. Choose from
the following options:
Audit : your device is not protected against this type of threat, but an entry about the threat is logged.
Block : your device is protected against this type of threat and you are notified in the user interface and the
security console.
Off : your device is not protected against this type of threat and nothing is logged.
Domain com.microsoft.wdav
Key value
Domain com.microsoft.wdav
Key threatTypeSettingsMergePolicy
Domain com.microsoft.wdav
Key cloudService
Domain com.microsoft.wdav
Key enabled
Domain com.microsoft.wdav
Key diagnosticLevel
Domain com.microsoft.wdav
Key automaticSampleSubmission
Domain com.microsoft.wdav
Key userInterface
Domain com.microsoft.wdav
Key hideStatusMenuIcon
Key edr
Device tags
Specify a tag name and its value.
The GROUP tag, tags the machine with the specified value. The tag is reflected in the portal under the machine
page and can be used for filtering and grouping machines.
Domain com.microsoft.wdav
Key tags
T ype of t ag
Domain com.microsoft.wdav
Key key
Va l u e o f t a g
Domain com.microsoft.wdav
Key value
Intune profile
Intune profile
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileName</string>
<key>name</key>
<string>cat</string>
</dict>
</array>
<key>exclusionsMergePolicy</key>
<string>merge</string>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>disallowedThreatActions</key>
<array>
<string>allow</string>
<string>restore</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
<key>threatTypeSettingsMergePolicy</key>
<string>merge</string>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>edr</key>
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>ExampleTag</string>
</dict>
</array>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</array>
If the file is well-formed, the above command outputs OK and returns an exit code of 0 . Otherwise, an error that
describes the issue is displayed and the command returns an exit code of 1 .
You must enter the correct preference domain ( com.microsoft.wdav ); otherwise, the preferences will not be
recognized by Microsoft Defender ATP.
Intune deployment
1. Open Manage > Device configuration . Select Manage > Profiles > Create Profile .
2. Choose a name for the profile. Change Platform=macOS to Profile type=Custom . Select Configure.
3. Save the .plist produced earlier as com.microsoft.wdav.xml .
4. Enter com.microsoft.wdav as the custom configuration profile name .
5. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This file was created in step 3.)
6. Select OK .
7. Select Manage > Assignments . In the Include tab, select Assign to All Users & All devices .
Cau t i on
You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized
by Microsoft Defender ATP.
Resources
Configuration Profile Reference (Apple developer documentation)
Detect and block potentially unwanted applications
with Microsoft Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and
block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on
endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to
have poor reputation.
These applications can increase the risk of your network being infected with malware, cause malware infections to
be harder to identify, and can waste IT resources in cleaning up the applications.
How it works
Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are
moved to the quarantine.
When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless
notifications have been disabled. The threat name will contain the word "Application".
WARNING
By default, PUA protection is configured in Audit mode.
You can configure how PUA files are handled from the command line or from the management console.
Use the command-line tool to configure PUA protection:
In Terminal, execute the following command to configure PUA protection:
Related topics
Set preferences for Microsoft Defender ATP for Mac
Troubleshoot installation issues for Microsoft
Defender ATP for Mac
3/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
Installation failed
For manual installation, it is Summary page of the installation wizard that says "An error occurred during
installation. The Installer encountered an error that caused the installation to fail. Contact the software
manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
While we do not expose exact error to the end user, we keep a log file with installation progress in
/Library/Logs/Microsoft/mdatp/install.log . Each installation session appends to this log file, you can use sed to
output the last installation session only:
In the example above the actual reason is prefixed with [ERROR] . The installation failed because a downgrade
between these versions is not supported.
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate
'processImagePath CONTAINS[C] "install"' --style syslog
Troubleshoot performance issues for Microsoft
Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft
Defender ATP for Mac.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects
your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience
suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system
processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender
ATP for Mac.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance
improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the
performance issues.
If your device is not managed by your organization, real-time protection can be disabled using one of the
following options:
From the user interface. Open Microsoft Defender ATP for Mac and navigate to Manage settings .
From the Terminal. For security purposes, this operation requires elevation.
If your device is managed by your organization, real-time protection can be disabled by your administrator
using the instructions in Set preferences for Microsoft Defender ATP for Mac.
2. Open Finder and navigate to Applications > Utilities . Open Activity Monitor and analyze which
applications are using the resources on your system. Typical examples include software updaters and
compilers.
3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute
to the performance issues and re-enable real-time protection.
See Configure and validate exclusions for Microsoft Defender ATP for Mac for details.
Troubleshoot kernel extension issues in Microsoft
Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of
Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before
they are allowed to run on the device.
If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac,
then the application displays a banner prompting you to enable it:
You can also run mdatp --health . It reports if real-time protection is enabled but not available. This is an indication
that the kernel extension is not approved to run on your device.
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...
The following sections provide guidance on how to address this issue, depending on the method that you used to
deploy Microsoft Defender ATP for Mac.
Managed deployment
See the instructions corresponding to the management tool that you used to deploy the product:
JAMF-based deployment
Microsoft Intune-based deployment
Manual deployment
If less than 30 minutes have passed since the product was installed, navigate to System Preferences > Security
& Privacy , where you have to Allow system software from developers "Microsoft Corporation".
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been
approved to run on your device:
In this case, you need to perform the following steps to trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was
not approved to run on the device, however it will trigger the approval flow again.
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL =
"file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL =
"file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
2. Open System Preferences > Security & Privacy from the menu. (Close it first, if it's opened.)
3. Allow system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:
The banner should disappear from the Defender application, and mdatp --health should now report that real-time
protection is both enabled and available:
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
Troubleshoot license issues for Microsoft Defender
ATP for Mac
3/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
While you are going through Microsoft Defender ATP for Mac and Manual deployment testing or a Proof Of
Concept (PoC), you might get the following error:
Message:
No license found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription.
Contact your administrator for help.
Cause:
You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might
have run the configuration script ("Download onboarding package").
Solution:
Follow the WindowsDefenderATPOnboarding.py instructions documented here: Client configuration
Privacy for Microsoft Defender ATP for Mac
11/6/2019 • 8 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
Microsoft is committed to providing you with the information and controls you need to make choices about how
your data is collected and used when you’re using Microsoft Defender ATP for Mac.
This topic describes the privacy controls available within the product, how to manage these controls with policy
settings and more details on the data events that are collected.
org_id Unique identifier associated with the enterprise that the device
belongs to. Allows Microsoft to identify whether issues are
impacting a select set of enterprises and how many
enterprises are impacted.
release_ring Ring that the device is associated with (for example Insider
Fast, Insider Slow, Production). Allows Microsoft to identify on
which release ring an issue may be occurring so that it can
correctly be prioritized.
edr.early_preview Whether the machine should run EDR early preview features.
features.[optional feature name] List of preview features, along with whether they are enabled
or not.
Support data
Diagnostic logs
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The
following files are collected as part of the support logs:
All files under /Library/Logs/Microsoft/mdatp/
Subset of files under /Library/Application Support/Microsoft/Defender/ that are created and used by Microsoft
Defender ATP for Mac
Subset of files under /Library/Managed Preferences that are used by Microsoft Defender ATP for Mac
/Library/Logs/Microsoft/autoupdate.log
$HOME/Library/Preferences/com.microsoft.autoupdate2.plist
Optional diagnostic data
Optional diagnostic data is additional data that helps Microsoft make product improvements and provides
enhanced information to help detect, diagnose, and fix issues.
If you choose to send us optional diagnostic data, required diagnostic data is also included.
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example
number of exclusions set on the device) and product performance (aggregate measures about the performance of
components of the product).
Software setup and inventory data events
Microsoft Defender ATP configuration
The following fields are collected:
antivirus_engine.threat_restoration_exclusion_time Time out before a file restored from the quarantine can be
detected again.
pkt_ack_conn_timeout
ipc.ack_pkts
ipc.nack_pkts
ipc.send.ack_no_conn
F IEL D DESC RIP T IO N
ipc.send.nack_no_conn
ipc.send.ack_no_qsq
ipc.send.nack_no_qsq
ipc.ack.no_space
ipc.ack.timeout
ipc.ack.ackd_fast
ipc.ack.ackd
ipc.recv.bad_pkt_len
ipc.recv.bad_reply_len
ipc.recv.no_waiter
ipc.recv.copy_failed
ipc.kauth.vnode.mask
ipc.kauth.vnode.read
ipc.kauth.vnode.write
ipc.kauth.vnode.exec
ipc.kauth.vnode.del
ipc.kauth.vnode.read_attr
ipc.kauth.vnode.write_attr
ipc.kauth.vnode.read_ex_attr
ipc.kauth.vnode.write_ex_attr
ipc.kauth.vnode.read_sec
ipc.kauth.vnode.write_sec
ipc.kauth.vnode.take_own
ipc.kauth.vnode.denied
ipc.kauth.file_op.mask
F IEL D DESC RIP T IO N
ipc.kauth_file_op.open
ipc.kauth.file_op.close
ipc.kauth.file_op.close_modified
ipc.kauth.file_op.move
ipc.kauth.file_op.link
ipc.kauth.file_op.exec
ipc.kauth.file_op.remove
ipc.kauth.file_op.fork
ipc.kauth.file_op.create
Resources
Privacy at Microsoft
Resources for Microsoft Defender ATP for Mac
3/4/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac
Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed
uninstall is available on JAMF, it is not yet available for Microsoft Intune.
Interactive uninstallation
Open Finder > Applications . Right click on Microsoft Defender ATP > Move to Trash .
From the command line
sudo rm -rf '/Applications/Microsoft Defender ATP.app'
sudo rm -rf '/Library/Application Support/Microsoft/Defender/'
Configuration Turn on audit mode for PUA protection mdatp --threat --type-handling
potentially_unwanted_application
audit
EDR Turn on/off EDR preview for Mac mdatp --edr --early-preview
[true/false]
OR
mdatp --edr --earlyPreview
[true/false]
for versions earlier than 100.78.0
EDR Add group tag to machine. EDR tags mdatp --edr --set-tag GROUP
are used for managing machine groups. [name]
For more information, please visit
https://docs.microsoft.com/windows/sec
urity/threat-protection/microsoft-
defender-atp/machine-groups
EDR Remove group tag from machine mdatp --edr --remove-tag [name]
IMPORTANT
PUBLIC PREVIEW EDITION
This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and
its general availability.
As with any pre-release solution, remember to exercise caution when determining the target population for your
deployments.
If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux
onboarding page immediately. If you have not yet opted into previews, we encourage you to turn on preview features in
the Microsoft Defender Security Center today.
This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP) for Linux.
Cau t i on
Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to
cause performance problems and unpredictable system errors.
$ sudoSUSEConnect --status-text
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender
ATP for Linux.
In general you need to take the following steps:
Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft
Defender ATP portal.
Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
The command-line tool:
Manual deployment
Third-party management tools:
Deploy using Puppet configuration management tool
Deploy using Ansible configuration management tool
If you experience any installation failures, refer to Troubleshooting installation failures in Microsoft Defender ATP
for Linux.
System requirements
Supported Linux server distributions and versions:
Red Hat Enterprise Linux 7.2 or higher
CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 or higher
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher
Minimum kernel version 2.6.38
The fanotify kernel option must be enabled
Disk space: 650 MB
The solution currently provides real-time protection for the following file system types:
btrfs
ext2
ext3
ext4
tmpfs
xfs
More file system types will be added in the future.
After you've enabled the service, you may need to configure your network or firewall to allow outbound
connections between it and your endpoints.
Network connections
The following table lists the services and their associated URLs that your network must be able to connect to. You
should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there
are, you may need to create an allow rule specifically for them.
SERVIC E LO C AT IO N DN S REC O RD
NOTE
For a more specific URL list, see Configure proxy and internet connectivity settings
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Transparent proxy
Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the
previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP.
For static proxy, follow the steps in Manual Static Proxy Configuration.
WARNING
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being
used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL
inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs
without interception. Adding your interception certificate to the global store will not allow for interception.
For troubleshooting steps, see the Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
page.
Resources
For more information about logging, uninstalling, or other topics, see the Resources page.
What's new in Microsoft Defender Advanced Threat
Protection for Linux
4/3/2020 • 2 minutes to read • Edit Online
100.90.70
Antivirus exclusions now support wildcards
Added the ability to troubleshoot performance issues through the mdatp command-line tool
Improvements to make the package installation more robust
Performance improvements & bug fixes
Deploy Microsoft Defender ATP for Linux manually
4/9/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
This article describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires
the completion of all of the following tasks:
Configure the Linux software repository
Application installation
Download the onboarding package
Client configuration
WARNING
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel:
uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to
install the package from the new location.
In the below commands, replace [distro] and [version] with the information you've identified:
NOTE
In case of Oracle Linux, replace [distro] with “rhel”.
sudo yum-config-manager --add-
repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the insiders-fast
channel:
Download and make usable all the metadata for the currently enabled yum repositories:
yum makecache
In the following commands, replace [distro] and [version] with the information you've identified:
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the insiders-fast channel:
Note your distribution and version, and identify the closest entry for it under
https://packages.microsoft.com/config .
In the below command, replace [distro] and [version] with the information you've identified:
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the insiders-fast
channel:
Application installation
RHEL and variants (CentOS and Oracle Linux):
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
ls -l
unzip WindowsDefenderATPOnboardingPackage.zip
Client configuration
1. Copy WindowsDefenderATPOnboarding.py to the target machine.
Initially the client machine is not associated with an organization. Note that the orgId attribute is blank:
2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have
python installed on the device:
python WindowsDefenderATPOnboarding.py
3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
4. A few minutes after you complete the installation, you can see the status by running the following
command. A return value of 1 denotes that the product is functioning as expected:
IMPORTANT
When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your
Internet connection, this can take up to a few minutes. During this time the above command returns a value of 0 .
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform
the following steps on the newly onboarded machine:
Ensure that real-time protection is enabled (denoted by a result of 1 from running the following
command):
The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command
to list all the detected threats:
Uninstallation
See Uninstall for details on how to remove Microsoft Defender ATP for Linux from client devices.
Deploy Microsoft Defender ATP for Linux with
Puppet
4/8/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment
requires the completion of all of the following tasks:
Download the onboarding package
Create Puppet manifest
Deployment
Check onboarding status
$ ls -l
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
$ pwd
/etc/puppetlabs/code/environments/production/modules
$ tree install_mdatp
install_mdatp
├── files
│ └── mdatp_onboard.json
└── manifests
└── init.pp
Contents of install_mdatp/manifests/init.pp
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as
[channel]): insiders-fast, insiders-slow , or prod. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in
insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by
prod.
In order to preview new features and provide early feedback, it is recommended that you configure some devices
in your enterprise to use either insiders-fast or insiders-slow .
WARNING
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel:
uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to
install the package from the new location.
Note your distribution and version and identify the closest entry for it under
https://packages.microsoft.com/config/ .
In the below commands, replace [distro] and [version] with the information you've identified:
NOTE
In case of RedHat, Oracle EL, and CentOS 8, replace [distro] with 'rhel'.
# Puppet manifest to install Microsoft Defender ATP.
# @param channel The release channel based on your environment, insider-fast or prod.
# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro
variable should be 'rhel'.
# @param version The Linux distribution release number, e.g. 7.4.
class install_mdatp (
$channel = 'insiders-fast',
$distro = undef,
$version = undef
){
case $::osfamily {
'Debian' : {
apt::source { 'microsoftpackages' :
location => "https://packages.microsoft.com/${distro}/${version}/prod",
release => $channel,
repos => 'main',
key => {
'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
'server' => 'keyserver.ubuntu.com',
},
}
}
'RedHat' : {
yumrepo { 'microsoftpackages' :
baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
descr => "packages-microsoft-com-prod-${channel}",
enabled => 1,
gpgcheck => 1,
gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
}
}
default : { fail("${::osfamily} is currently not supported.") }
}
case $::osfamily {
/(Debian|RedHat)/: {
file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
ensure => directory,
owner => root,
group => root,
mode => '0755'
}
file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
source => 'puppet:///modules/mdatp/mdatp_onboard.json',
owner => root,
group => root,
mode => '0600',
require => File['/etc/opt/microsoft/mdatp']
}
package { 'mdatp':
ensure => 'installed',
require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']
}
}
default : { fail("${::osfamily} is currently not supported.") }
}
}
Deployment
Include the above manifest in your site.pp file:
$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node "default" {
include install_mdatp
}
Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as
soon as they are detected.
$ mdatp --health
...
licensed : true
orgId : "[your organization identifier]"
...
The above command prints 1 if the product is onboarded and functioning as expected.
IMPORTANT
When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet
connection, this can take up to a few minutes. During this time the above command returns a value of 0 .
If the product is not healthy, the exit code (which can be checked through echo $? ) indicates the problem:
1 if the device is not yet onboarded.
3 if the connection to the daemon cannot be established.
Uninstallation
Create a module remove_mdatp similar to install_mdatp with the following contents in init.pp file:
class remove_mdatp {
package { 'mdatp':
ensure => 'purged',
}
}
Deploy Microsoft Defender ATP for Linux with
Ansible
4/8/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment
requires the completion of all of the following tasks:
Download the onboarding package
Create Ansible YAML files
Deployment
References
[servers]
host1 ansible_ssh_host=10.171.134.39
host2 ansible_ssh_host=51.143.50.51
Ping test:
$ ls -l
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
Create the setup.sh script that operates on the onboarding file, in this example located in the /root
directory:
#!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
WARNING
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel:
uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document
to install the package from the new location.
Note your distribution and version and identify the closest entry for it under
https://packages.microsoft.com/config/ .
In the following commands, replace [distro] and [version] with the information you've identified.
NOTE
In case of Oracle Linux, replace [distro] with “rhel”.
```bash
- name: Add Microsoft apt repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod
[channel] main
update_cache: yes
state: present
filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
$ cat install_mdatp.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_apt_repo.yml
- apt:
name: mdatp
state: latest
update_cache: yes
$ cat uninstall_mdatp.yml
- hosts: servers
tasks:
- apt:
name: mdatp
state: absent
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
state: latest
enablerepo: packages-microsoft-com-prod-[channel]
$ cat uninstall_mdatp_yum.yml
- hosts: servers
tasks:
- yum:
name: mdatp
state: absent
Deployment
Now run the tasks files under /etc/ansible/playbooks/ .
Installation:
IMPORTANT
When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet
connection, this can take up to a few minutes.
Validation/configuration:
Uninstallation:
References
Add or remove YUM repositories
Manage packages with the yum package manager
Add and remove APT repositories
Manage apt-packages
Deploy updates for Microsoft Defender ATP for Linux
3/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
This article provides information on how to define exclusions that apply to on-demand scans, and real-time
protection and monitoring.
IMPORTANT
The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint
detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts
and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux
scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for
Linux.
WARNING
Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
$ mdatp --exclusion
Examples:
Add an exclusion for a file extension:
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware,
and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are
the same as what is described on the EICAR test file website.
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file
with the following Bash command:
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.
Configure Microsoft Defender ATP for Linux for static
proxy discovery
4/1/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
Microsoft Defender ATP can discover a proxy server using the HTTPS_PROXY environment variable. This setting
must be configured both at installation time and after the product has been installed.
HTTPS_PROXY="http://proxy.server:port/"
The HTTPS_PROXY variable is defined in the package manager global configuration. For example, in Ubuntu
18.04, you can add the following line to /etc/apt/apt.conf.d/proxy.conf :
Acquire::https::Proxy "http://proxy.server:port/";
Cau t i on
Note that above two methods could define the proxy to use for other applications on your system. Use this
method with caution, or only if this is meant to be a generally global configuration.
The HTTPS_PROXY variable is prepended to the installation or uninstallation commands. For example, with
the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
NOTE
Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
HTTPS_PROXY="http://proxy.server:port/"
After modifying the mdatp.service file, save and close it. Restart the service so the changes can be applied. In
Ubuntu, this involves two commands:
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
IMPORTANT
This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If
you are interested in configuring the product on a device from the command-line, see Resources.
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile.
This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take
precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change
preferences that are set through this configuration profile.
This topic describes the structure of this profile (including a recommended profile that you can use to get started)
and instructions on how to deploy the profile.
Key antivirusEngine
Key enableRealTimeProtection
Data type Boolean
Key passiveMode
Key exclusionsMergePolicy
Scan exclusions
Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
Key exclusions
Key $type
Key path
Key isDirectory
Key extension
Key name
Allowed threats
List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
Key allowedThreats
Key disallowedThreatActions
Key threatTypeSettings
Threat type
Type of threat for which the behavior is configured.
Key key
Action to take
Action to take when coming across a threat of the type specified in the preceding section. Can be:
Audit : The device is not protected against this type of threat, but an entry about the threat is logged.
Block : The device is protected against this type of threat and you are notified in the user interface and the
security console.
Off : The device is not protected against this type of threat and nothing is logged.
Key value
Key threatTypeSettingsMergePolicy
Key cloudService
Key enabled
Key diagnosticLevel
Key automaticSampleSubmission
{
"antivirusEngine":{
"enableRealTimeProtection":true,
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
]
},
"cloudService":{
"automaticSampleSubmission":true,
"enabled":true
}
}
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of 0 .
Otherwise, an error that describes the issue is displayed and the command returns an exit code of 1 .
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
An output from the previous command with correct date and time of installation indicates success.
Also check the Client configuration to verify the health of the product and detect the EICAR text file.
Installation failed
Check if the mdatp service is running
$ id “mdatp”
where <systemd_path> is
/lib/systemd/system for Ubuntu and Debian distributions
/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
If mdatp service is running, but EICAR text file detection doesn't work
1. Check the file system type using:
$ findmnt -T <path_of_EICAR_file>
Currently supported file systems for on-access activity are listed here. Any files outside these file systems won't be
scanned.
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these
logs.
Troubleshoot cloud connectivity issues for Microsoft
Defender ATP for Linux
4/9/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
$ mdatp --connectivity-test
If the connectivity test fails, check if the machine has Internet access and if any of the endpoints required by the
product are blocked by a proxy or firewall.
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
If a static proxy is required, add a proxy parameter to the above command, where proxy_address:port correspond
to the proxy address and port:
$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report'
'https://cdn.x.cp.wd.microsoft.com/ping'
Ensure that you use the same proxy address and port as configured in the /lib/system/system/mdatp.service file.
Check your proxy configuration if there are errors from the above commands.
To use a static proxy, the mdatp.service file must be modified. Ensure the leading # is removed to uncomment the
following line from /lib/systemd/system/mdatp.service :
#Environment="HTTPS_PROXY=http://address:port"
Also ensure that the correct static proxy address is filled in to replace address:port .
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux
and propagate the setting:
Upon success, attempt another connectivity test from the command line:
$ mdatp --connectivity-test
Resources
For more information about how to configure the product to use a static proxy, see Configure Microsoft
Defender ATP for static proxy discovery.
Troubleshoot performance issues for Microsoft
Defender ATP for Linux
4/1/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft
Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects
your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience
suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system
processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender
ATP for Linux.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance
improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to
the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command
line:
If your device is managed by your organization, real-time protection can be disabled by your administrator
using the instructions in Set preferences for Microsoft Defender ATP for Linux.
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by
Microsoft Defender ATP for Linux.
NOTE
This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the Dogfood and InsisderFast channels. If you're using a different
update channel, this feature can be enabled from the command line:
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the
following command:
$ mdatp health
Verify that the real_time_protection_enabled entry is true . Otherwise, run the following command to
enable it:
$ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file
The output of this command will show all processes and their associated scan activity. To improve the
performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the
Total files scanned row and add an exclusion for it. For more information, see Configure and validate
exclusions for Microsoft Defender ATP for Linux.
NOTE
The application stores statistics in memory and only keeps track of file activity since it was started and real-time
protection was enabled. Processes that were launched before or during periods when real time protection was off are
not counted. Additionally, only events which triggered scans are counted.
3. Use the top command-line tool and analyze which applications are using the resources on your system.
Typical examples include software updaters and compilers.
4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that
contribute to the performance issues and re-enable real-time protection.
See Configure and validate exclusions for Microsoft Defender ATP for Linux for details.
Resources
3/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux
Uninstall
There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as
Puppet, please follow the package uninstallation instructions for the configuration tool.
Manual uninstallation
sudo yum remove mdatp for RHEL and variants(CentOS and Oracle Linux).
sudo zypper remove mdatp for SLES and variants.
sudo apt-get purge mdatp for Ubuntu and Debian systems.
Configuration Turn on audit mode for PUA protection mdatp --threat --type-handling
potentially_unwanted_application
audit
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
3. Enter your name and email address so that Microsoft can get back to you on your application.
4. Read the privacy statement, then click Submit when you're done. You will receive a welcome email once your
application is approved.
6. From the navigation pane, go to Settings > General > Advanced features to turn the Threat Exper ts
toggle on. Click Save preferences .
NOTE
Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your
security operations or incident response team for details.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the
Incident page. Ensure that the page for the relevant alert or machine is in view before you send an
investigation request.
2. From the upper right-hand menu, click ? . Then, select Consult a threat exper t .
A flyout screen opens. The following screen shows when you are on a trial subscription.
The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand
subscription.
The Inquir y topic field is pre-populated with the link to the relevant page for your investigation request.
For example, a link to the incident, alert, or machine details page that you were at when you made the
request.
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start
the investigation.
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
Sample investigation topics that you can consult with Microsoft Threat
Experts
Aler t information
We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this
alert and how we can investigate further?
We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different
alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on
indication provided by O365". What is the difference?
I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find
any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What
type of sign-ins are being monitored?
Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
Possible machine compromise
Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many
machines. We appreciate any input to clarify whether this is related to malicious activity.
Can you help validate a possible compromise on the following system on [date] with similar behaviors as the
previous [malware name] malware detection on the same system in [month]?
Threat intelligence details
This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a
series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do
you have any information on this malware? If yes, can you send me a link?
I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry.
Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
Microsoft Threat Exper ts’ aler t communications
Can your incident response team help us address the targeted attack notification that we got?
I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident
response team. What can we do now, and how can we contain the incident?
I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that
we can pass on to our incident response team?
NOTE
Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However,
the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection
and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response
team to address issues that requires an incident response.
Scenario
Receive a progress report about your managed hunting inquiry
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you
about your Consult a threat exper t inquiry within two days, to communicate the investigation status from the
following categories:
More information is needed to continue with the investigation
A file or several file samples are needed to determine the technical context
Investigation requires more time
Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving.
Related topic
Microsoft Threat Experts overview
Overview of endpoint detection and response
4/2/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of
a breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack
techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts
in this manner makes it easy for analysts to collectively investigate and respond to threats.
Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber
telemetry. This includes process information, network activities, deep optics into the kernel and memory manager,
user login activities, registry and file system changes, and others. The information is stored for six months,
enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and
approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
Related topics
Security operations dashboard
Incidents queue
Alerts queue
Machines list
Microsoft Defender Security Center Security
operations dashboard
2/21/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It
provides a high level overview of where detections were seen and highlights where response actions are needed.
The dashboard displays a snapshot of:
Active alerts
Machines at risk
Sensor health
Service health
Daily machines reporting
Active automated investigations
Automated investigations statistics
Users at risk
Suspicious activities
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities
occurred in your network to help you understand the context they appeared in.
From the Security operations dashboard you will see aggregated events to facilitate the identification of
significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a
detailed view of the corresponding overview.
Active alerts
You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are
grouped into New and In progress .
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts
inside each alert ring to see a sorted view of that category's queue (New or In progress ).
For more information see, Alerts overview.
Each row includes an alert severity category and a short description of the alert. You can click an alert to see its
detailed view. For more information see, Investigate Microsoft Defender Advanced Threat Protection alerts and
Alerts overview.
Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each
machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far
end of the tile (hover over each severity bar to see its label).
Click the name of the machine to see details about that machine. For more information see, Investigate machines
in the Microsoft Defender Advanced Threat Protection Machines list.
You can also click Machines list at the top of the tile to go directly to the Machines list , sorted by the number of
active alerts. For more information see, Investigate machines in the Microsoft Defender Advanced Threat
Protection Machines list.
Sensor health
The Sensor health tile provides information on the individual machine’s ability to provide sensor data to the
Microsoft Defender ATP service. It reports how many machines require attention and helps you identify
problematic machines.
There are two status indicators that provide information on the number of machines that are not reporting
properly to the service:
Misconfigured – These machines might partially be reporting sensor data to the Microsoft Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven
days in the past month.
When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more
information, see Check sensor state and Investigate machines.
Service health
The Ser vice health tile informs you if the service is active or if there are issues.
For more information on the service health, see Check the Microsoft Defender ATP service health.
You can click on Automated investigations , Remidated investigations , and Aler ts investigated to navigate
to the Investigations page, filtered by the appropriate category. This lets you see a detailed breakdown of
investigations in context.
Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high,
medium, or low alerts.
Click the user account to see details about the user account. For more information see Investigate a user account.
Related topics
Understand the Microsoft Defender Advanced Threat Protection portal
Portal overview
View the Threat & Vulnerability Management dashboard
View the Threat analytics dashboard and take recommended mitigation actions
View and organize the Microsoft Defender Advanced
Threat Protection Incidents queue
10/9/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Incidents queue shows a collection of incidents that were flagged from machines in your network. It helps
you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top
of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
Customize columns to add or remove columns
Modify the number of items to view per page
Select the items to show per page
Batch-select the incidents to assign
Navigate between pages
Apply filters
Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view
helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on
context.
Status
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
Data sensitivity
Use this filter to show incidents that contain sensitivity labels.
Related topics
Incidents queue
Manage incidents
Investigate incidents
Manage Microsoft Defender ATP incidents
10/22/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting
an incident from the Incidents queue or the Incidents management pane .
Selecting an incident from the Incidents queue brings up the Incident management pane where you can open
the incident page for details.
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep
track of their progress.
Assign incidents
If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so
assumes ownership of not just the incident, but also all the alerts associated with it.
Related topics
Incidents queue
View and organize the Incidents queue
Investigate incidents
Investigate incidents in Microsoft Defender ATP
3/18/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
When you investigate an incident, you'll see:
Incident details
Incident comments and actions
Tabs (alerts, machines, investigations, evidence, graph)
Alerts
You can investigate the alerts and see how they were linked together in an incident. Alerts are grouped into
incidents based on the following reasons:
Automated investigation - The automated investigation triggered the linked alert while investigating the
original alert
File characteristics - The files associated with the alert have similar characteristics
Manual association - A user manually linked the alerts
Proximate time - The alerts were triggered on the same machine within a certain timeframe
Same file - The files associated with the alert are exactly the same
Same URL - The URL that triggered the alert is exactly the same
You can also manage an alert and see alert metadata along with other information. For more information, see
Investigate alerts.
Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see
Investigate machines.
Investigations
Select Investigations to see all the automatic investigations launched by the system in response to the incident
alerts.
You can click the circles on the incident graph to view the details of the malicious files, associated file detections,
how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many
instances.
Related topics
Incidents queue
Investigate incidents in Microsoft Defender ATP
Manage Microsoft Defender ATP incidents
View and organize the Microsoft Defender
Advanced Threat Protection Alerts queue
3/27/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Aler ts queue shows a list of alerts that were flagged from machines in your network. By default, the queue
displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the
list, helping you see the most recent alerts first.
NOTE
The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations
experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity
for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated
investigation and remediation can start. For more information on automated investigations, see Overview of Automated
investigations.
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
Select grouped view or list view
Customize columns to add or remove columns
Select the items to show per page
Navigate between pages
Apply filters
Suspicious activity General, None, NotApplicable, Atypical activity that could be malware
EnterprisePolicy, activity or part of an attack
SuspiciousNetworkTraffic
Status
You can choose to limit the list of alerts based on their status.
Investigation state
Corresponds to the automated investigation state.
Category
You can choose to filter the queue to display specific types of malicious activity.
Assigned to
You can choose between showing alerts that are assigned to you or automation.
Detection source
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter
and see detections from the new threat experts managed hunting service.
NOTE
The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default
real-time protection antimalware product.
OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to
limit the alerts queue view to display just those machine groups.
Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile
threats in Threat analytics.
Related topics
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Manage Microsoft Defender Advanced Threat
Protection alerts
9/20/2019 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through
alerts. A summary of new alerts is displayed in the Security operations dashboard , and you can access all
alerts in the Aler ts queue .
You can manage alerts by selecting an alert in the Aler ts queue , or the Aler ts tab of the Machine page for an
individual device.
Selecting an alert in either of those places brings up the Aler t management pane .
Assign alerts
If an alert is not yet assigned, you can select Assign to me to assign the alert to yourself.
Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security
Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be
innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not
affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that
satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
Suppress aler t on this machine
Suppress aler t in my organization
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts
are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
Suppress aler t on this machine Alerts with the same alert title and on A security researcher is
that specific machine only will be investigating a malicious script
suppressed. that has been used to attack
other machines in your
All other alerts on that machine will not organization.
be suppressed. A developer regularly creates
PowerShell scripts for their
team.
Suppress aler t in my organization Alerts with the same alert title on any A benign administrative tool is
machine will be suppressed. used by everyone in your
organization.
Alert classification
You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important
to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and
make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
Related topics
Manage suppression rules
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Investigate Microsoft Defender Advanced Threat
Protection alerts
1/27/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique,
along with other information that can help you make better decisions on how to approach them.
The techniques reflected in the card are based on MITRE enterprise techniques.
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you
to the Automated investigations view. For more information, see Automated investigations.
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on
the icon beside the name or user account to bring up the machine or user details pane. The alert details view
also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of
recommended actions which you can expand.
For more information about managing alerts, see Manage alerts.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted
automatically, and the timeline will display the appearance of the alert and its evidence in the Machine
timeline . If the alert appeared more than once on the machine, the latest occurrence will be displayed in the
Machine timeline .
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor,
their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed
worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools,
and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions
you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or
campaign for offline reading.
NOTE
The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
Clicking in the circle immediately to the left of the indicator displays its details.
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information
about the execution details, file details, detections, observed worldwide, observed in organization, and other
details taken from the entity's page – while remaining on the alert page, so you never leave the current context
of your investigation.
Incident graph
The Incident Graph provides a visual representation of the organizational footprint of the alert and its
evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical
mapping from the original machine and evidence expanding to show other machines in the organization where
the triggering evidence was also observed.
The Incident Graph supports expansion by File, Process, command line, or Destination IP Address, as
appropriate.
The Incident Graph expansion by destination IP Address, shows the organizational footprint of
communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other
machines where the matching criteria were observed.
Artifact timeline
The Ar tifact timeline feature provides an additional view of the evidence that triggered the alert on the
machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it
was observed on the machine. This can help in understanding if the evidence was first observed at the time of
the alert, or whether it was observed on the machine earlier - without triggering an alert.
Selecting an alert detail brings up the Details pane where you'll be able to see more information about the
alert such as file details, detections, instances of it observed worldwide, and in the organization.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Investigate a file associated with a Microsoft
Defender ATP alert
12/10/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file
exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
There are many ways to access the detailed profile page of a specific file. For example, you can use the search
feature, click on a link from the Aler t process tree , Incident graph , Ar tifact timeline , or select an event
listed in the Machine timeline .
Once on the detailed profile page, you can switch between the new and old page layouts by toggling new File
page . The rest of this article describes the newer page layout.
You can get information from the following sections in the file view:
File details, Malware detection, File prevalence
Deep analysis
Alerts
Observed in organization
Deep analysis
File names
You can also take action on a file from this page.
File actions
Along the top of the profile page, above the file information cards. Actions you can perform here include:
Stop and quarantine
Add/edit indicator
Download file
Consult a threat expert
Action center
For more information on these actions, see Take response action on a file.
Alerts
The Aler ts tab provides a list of alerts that are associated with the file. This list covers much of the same
information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can
choose what kind of information is shown by selecting Customize columns from the toolbar above the
column headers.
Observed in organization
The Obser ved in organization tab allows you to specify a date range to see which devices have been
observed with the file.
NOTE
This tab will show a maximum number of 100 machines. To see all devices with the file, export the tab to a CSV file, by
selecting Expor t from the action menu above the tab's column headers.
Use the slider or the range selector to quickly specify a time period that you want to check for events involving
the file. You can specify a time window as small as a single day. This will allow you to see only files that
communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
Deep analysis
The Deep analysis tab allows you to submit the file for deep analysis, to uncover more details about the file's
behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis
report will appear in this tab once results are available. If deep analysis did not find anything, the report will be
empty and the results space will remain blank.
File names
The File names tab lists all names the file has been observed to use, within your organizations.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Take response actions on a file
Investigate machines in the Microsoft Defender ATP
Machines list
3/4/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might
be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
Machines list
Alerts queue
Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or domain details view
When you investigate a specific machine, you'll see:
Machine details
Response actions
Cards (active alerts, logged on users, security assessment)
Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities)
Machine details
The machine details section provides information such as the domain, OS, and health state of the machine. If
there's an investigation package available on the machine, you'll see a link that allows you to download the
package.
Response actions
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate automated investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can take response actions in the Action center, in a specific machine page, or in a specific file page.
For more information on how to take action on a machine, see Take response action on a machine.
For more information, see Investigate user entities.
Cards
Active alerts
The Azure Advanced Threat Protection card will display a high-level overview of alerts related to the
machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More
information is available in the "Alerts" drill down.
NOTE
You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Logged on users
The Logged on users card shows how many users have logged on in the past 30 days, along with the most
and least frequent users. Selecting the "See all users" link opens the details pane, which displays information
such as user type, log on type, and when the user was first and last seen. For more information, see Investigate
user entities.
Security assessments
The Security assessments card shows the overall exposure level, security recommendations, installed
software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of
its pending security recommendations.
Tabs
The five tabs under the cards section show relevant security and threat prevention information related to the
machine. In each tab, you can customize the columns that are shown by selecting Customize columns from
the bar above the column headers.
Alerts
The Aler ts section provides a list of alerts that are associated with the machine. This list is a filtered version of
the Alerts queue, and shows a short description of the alert, severity (high, medium, low, informational), status
in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state,
category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the
alert and view more details such as incident number and related machines. Multiple alerts can be selected at a
time.
To see a full page view of an alert including incident graph and process tree, select the title of the alert.
Timeline
The Timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the
machine.
The timeline also enables you to selectively drill down into events that occurred within a given time period. You
can view the temporal sequence of events that occurred on a machine over a selected time period. To further
control your view, you can filter by event groups or customize the columns.
NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection
Security recommendations
Security recommendations are generated from Microsoft Defender ATP's Threat & Vulnerability
Management capability. Selecting a recommendation will show a panel where you can view relevant details
such as description of the recommendation and the potential risks associated with not enacting it. See Security
recommendation for details.
Software inventory
The Software inventor y section lets you view software on the device, along with any weaknesses or threats.
Selecting the name of the software will take you to the software details page where you can view security
recommendations, discovered vulnerabilities, installed machines, and version distribution. See Software
inventory for details
Discovered vulnerabilities
The Discovered vulnerabilities section shows the name, severity, and threat insights of discovered
vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Security recommendation
Software inventory
Investigate an IP address associated with a Microsoft
Defender ATP alert
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Examine possible communication between your machines and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address,
such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and
infected machines.
You can find information from the following sections in the IP address view:
IP worldwide
Reverse DNS names
Alerts related to this IP
IP in organization
Prevalence
IP in organization
The IP in organization section provides details on the prevalence of the IP address in the organization.
Prevalence
The Prevalence section displays how many machines have connected to this IP address, and when the IP was
first and last seen. You can filter the results of this section by time period; the default period is 30 days.
NOTE
Search results will only be returned for IP addresses observed in communication with machines in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed
results of all machines in the organization observed communicating with the IP address, the file associated with
the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate a domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Investigate a domain associated with a Microsoft
Defender ATP alert
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a
known malicious domain.
You can investigate a domain by using the search feature or by clicking on a domain link from the Machine
timeline .
You can see information from the following sections in the URL view:
URL details, Contacts, Nameservers
Alerts related to this URL
URL in organization
Most recent observed machines with URL
URL worldwide
The URL Worldwide section lists the URL, a link to further details at Whois, the number of related open
incidents, and the number of active alerts.
Incident
The Incident card displays a bar chart of all active alerts in incidents over the past 180 days.
Prevalence
The Prevalence card provides details on the prevalence of the URL within the organization, over a specified
period of time.
Although the default time period is the past 30 days, you can customize the range by selecting the downward-
pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while
the longest range is over the past 6 months.
Alerts
The Aler ts tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version
of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity,
status, the associated incident, classification, investigation state, and more.
The Alerts tab can be adjusted to show more or less information, by selecting Customize columns from the
action menu above the column headers. The number of items displayed can also be adjusted, by selecting items
per page on the same menu.
Observed in organization
The Obser ved in organization tab provides a chronological view on the events and associated alerts that were
observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time,
machine, and a brief description of what happened.
You can view events from different periods of time by entering the dates into the text fields above the table
headers. You can also customize the time range by selecting different areas of the timeline.
Investigate a domain:
1. Select URL from the Search bar drop-down menu.
2. Enter the URL in the Search field.
3. Click the search icon or press Enter . Details about the URL are displayed. Note: search results will only be
returned for URLs observed in communications from machines in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the
displayed results of all machines in the organization observed communicating with the URL, the file
associated with the communication and the last date observed.
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Investigate connection events that occur behind
forward proxies
2/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A
challenging case is when the network uses a forward proxy as a gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the
connections with the proxy which is correct but has lower investigation value.
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a
new type of event is surfaced which exposes the real target domain names.
Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing
the proxy, while the real target address shows up.
Additional events triggered by the network protection layer are now available to surface the real domain names
even behind a proxy.
Event's information:
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| take 10
You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
Related topics
Applying network protection with GP - policy CSP
Investigate a user account in Microsoft Defender
ATP
9/20/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the
user account.
User details
The User details card provides information about the user, such as when the user was first and last seen.
Depending on the integration features you've enabled, you'll see other details. For example, if you enable the
Skype for business integration, you'll be able to contact the user from the portal.
Azure Advanced Threat Protection
The Azure Advanced Threat Protection card will contain a link that will take you to the Azure ATP page, if you
have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide
more information about the alerts. This card also provides details such as the last AD site, total group
memberships, and login failure associated with the user.
NOTE
You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.
Logged on machines
The Logged on machines card shows a list of the machines that the user has logged on to. You can expand
these to see details of the log-on events for each machine.
Observed in organization
The Obser ved in organization section allows you to specify a date range to see a list of machines where this
user was observed logged on to, the most frequent and least frequent logged on user account for each of these
machines, and total observed users on each machine.
Selecting an item on the Observed in organization table will expand the item, revealing more details about the
machine. Directly selecting a link within an item will send you to the corresponding page.
Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a domain associated with a Microsoft Defender ATP alert
View and organize the Microsoft Defender ATP
Machines list
2/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Machines list shows a list of the machines in your network where alerts were generated. By default, the
queue displays machines with alerts seen in the last 30 days.
At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification
of machines most at risk.
There are several options you can choose from to customize the machines list view. On the top navigation you can:
Add or remove columns
Export the entire list in CSV format
Select the number of items to show per page
Apply filters
During the onboarding process, the Machines list is gradually populated with machines as they begin to report
sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete
endpoint list as a CSV file for offline analysis.
NOTE
If you export the machine list, it will contain every machine in your organization. It might take a significant amount of time
to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered
manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
Related topics
Investigate machines in the Microsoft Defender ATP Machines list
Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
Tags can be used as a filter in Machines list view, or to group machines. For more information on machine
grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value
NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine
page.
To add machine tags using API, see Add or remove machine tags API.
NOTE
Filtering might not work on tag names that contain parenthesis.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group
Registry key data: Name of the tag you want to set
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action
on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.
Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a
scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The Action
center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Aler ts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.
IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.
Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.
2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:
Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find
the specified registry key or value.”
Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
F O L DER DESC RIP T IO N
Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or
remote connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.
Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a
chosen machine to look for suspicious code which was set to
run automatically.
Security event log Contains the security event log which contains records of
login or logout activity, or other security-related events
specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.
Services Contains a .CSV file which lists services and their states.
F O L DER DESC RIP T IO N
Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.
Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.
Users and Groups Provides a list of files that each represent a group and its
members.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether
Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more
information, see Windows Defender Antivirus compatibility.
One you have selected Run antivirus scan , select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting
that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that
surfaced during the scan.
IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.
NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will
change to say Remove app restrictions , and then you take the same steps as restricting app execution.
Once you have selected Restrict app execution on the machine page, type a comment and select Confirm .
The Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user :
When an app is restricted, the following notification is displayed to inform the user that an app is being
restricted from running:
IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can
also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to
say Release from isolation , and then you take the same steps as isolating the machine.
Once you have selected Isolate machine on the machine page, type a comment and select Confirm . The
Action center will show the scan information and the machine timeline will include a new event.
NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while
the machine is isolated.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect file
button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file will be
disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed
report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs,
and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.
5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Take response actions on a file
3/25/2020 • 11 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on
files, you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the
new and old page layouts by toggling new File page . The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is
complete, you'll get a detailed report that provides information about the behavior of the file. You can submit
files for deep analysis and read past reports by selecting the Deep analysis tab. It's located below the file
information cards.
Some actions require certain permissions. The following table describes what action certain permissions can
take on portable executable (PE) and non-PE files:
P ERM ISSIO N P E F IL ES N O N - P E F IL ES
View data X X
Alerts investigation ☑ X
For more information on roles, see Create and manage roles for role-based access control.
IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.
The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the
last 30 days.
NOTE
You’ll be able to restore the file from quarantine at any time.
NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.
In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.
NOTE
In some scenarios, the ThreatName may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days.
IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is
enabled. For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from
the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be
extended over time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same location. If a file has not been seen in the organization in the past 30 days, Collect file
will be disabled.
Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files
that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To
enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis
results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry
modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable
executable (PE) files (including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will
update to display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate
alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or
for any other reason where you suspect malicious behavior. This feature is available within the Deep analysis
tab, on the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
NOTE
Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed
on a Windows 10 machine, and wait for Submit for deep analysis button to become available.
NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines,
communication to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in
organization section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit .
Note Only PE files are supported, including .exe and .dll files
A progress bar is displayed and provides information on the different stages of the analysis. You can then view
the report when the analysis is done.
NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can
re–submit files for deep analysis to get fresh data on the file.
View deep analysis repor ts
View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that
was conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this
tab.
5. Change the organizational unit through the Group Policy. For more information, see Configure with
Group Policy.
6. If these steps do not resolve the issue, contact winatp@microsoft.com.
Related topics
Take response actions on a machine
Investigate files
Review and approve actions following an automated
investigation
2/21/2020 • 2 minutes to read • Edit Online
Remediation actions
When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can
be Malicious, Suspicious, or Clean. Depending on the type of threat and resulting verdict, remediation actions occur
automatically or upon approval by your organization’s security operations team. For example, some actions, such
as removing malware, are taken automatically. Other actions require review and approval to proceed.
When a verdict of Malicious is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection
takes one of the following remediation actions automatically:
Quarantine file
Remove registry key
Kill process
Stop service
Remove registry key
Disable driver
Remove scheduled task
Evidence determined as Suspicious results in pending actions that require approval. As a best practice, make sure
to approve (or reject) pending actions as soon as possible. This helps your automated investigations complete in a
timely manner.
No actions are taken when evidence is determined to be Clean.
In Microsoft Defender Advanced Threat Protection, all verdicts are tracked and viewable in the Microsoft Defender
Security Center.
Related articles
Automated investigation and response in Office 365 Advanced Threat Protection
Automated investigation and response in Microsoft Threat Protection
View details and results of automated investigations
2/21/2020 • 6 minutes to read • Edit Online
Pending and completed remediation actions are listed in the Action center
(https://securitycenter.windows.com/action-center) and the Investigations page
(https://securitycenter.windows.com/investigations).
NOTE
If your organization has implemented role-based access to manage portal access, only authorized users or user groups who
have permission to view the machine or machine group will be able to view the entire investigation.
The action center consists of two main tabs, as described in the following table.
TA B DESC RIP T IO N
Use the Customize columns menu to select columns that you'd like to show or hide.
You can also download the entire list in CSV format using the Expor t feature, specify the number of items to show
per page, and navigate between pages.
Detection source The source of the alert that initiated the automated
investigation.
Tags Filter using manually added tags that capture the context of
an automated investigation.
Waiting for machine Investigation paused. The investigation will resume as soon as
the machine is available.
Partially investigated Entities directly related to the alert have been investigated.
However, a problem stopped the investigation of collateral
entities.
In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore,
the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for
example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
Alerts
The Aler ts tab for an automated investigation shows details such as a short description of the alert that initiated
the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status,
investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is
ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the
alert page, manage the alert by changing its status, see alert details, automated investigation details, related
machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
Machines
The Machines tab Shows details the machine name, IP address, group, users, operating system, remediation level,
investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If
10 or more machines are found during this expansion process from the same entity, then that expansion action will
require an approval and will be seen in the Pending actions view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information
such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
Evidence
The Evidence tab shows details related to threats associated with this investigation.
Entities
The Entities tab shows details about entities such as files, process, services, drives, and IP addresses. The table
details such as the number of entities that were analyzed. You'll gain insight into details such as how many are
remediated, suspicious, or determined to be clean.
Log
The Log tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the
action type, action, status, machine name, description of the action, comments entered by analysts who may have
worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of
the action and input data.
Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page
from the navigation page by going to automated investigation > Action center .
Next steps
View and approve remediation actions
Investigate entities on devices using live response
4/6/2020 • 8 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Live response is a capability that gives your security operations team instantaneous access to a device (also
referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative
work and take immediate response actions to promptly contain identified threats –- in real time.
Live response is designed to enhance investigations by enabling your security operations team to collect
forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for
emerging threats.
NOTE
Only users with manage security or global admin roles can edit these settings.
Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must
use them however, you'll need to enable the setting in the Advanced features settings page.
Ensure that you have the appropriate permissions
Only users who have been provisioned with the appropriate permissions can initiate a session. For more
information on role assignments, see Create and manage roles.
IMPORTANT
The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The
button is greyed out for users with only delegated permissions.
Depending on the role that's been granted to you, you can run basic or advanced live response
commands. Users permissions are controlled by RBAC custom role.
Advanced commands
The following commands are available for user roles that are granted the ability to run advanced live response
commands. For more information on role assignments see, Create and manage roles.
library Lists files that were uploaded to the live response library.
putfile Puts a file from the library to the device. Files are saved in a
working folder and are deleted when the device restarts by
default.
NOTE
There is a file size limit of 750mb.
C OMMAND W H AT IT DO ES
WARNING
Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So,
changing operations such as "remediate" may continue, while the command is canceled.
When applying parameters to commands, note that parameters are handled based on a fixed order:
<command name> param1 param2
When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen
before providing the value:
<command name> -param2_name param2
When using commands that have prerequisite commands, you can use flags:
<command name> -type file -id <file path> - auto or remediate file <file path> - auto .
NOTE
Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON
output command so that more details are shown.
Related article
Live response command examples
Live response command examples
7/11/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Learn about common commands used in live response and see examples on how they are typically used.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For
more information on basic and advanced commands, see Investigate entities on machines using live response.
analyze
# Analyze the file malware.txt
analyze file c:\Users\user\Desktop\malware.txt
connections
# List active connections in json format using parameter name
connections -output json
dir
# List files and sub-folders in the current folder
dir
fileinfo
# Display information about a file
fileinfo C:\Windows\notepad.exe
findfile
# Find file by name
findfile test.txt
getfile
# Download a file from a machine
getfile c:\Users\user\Desktop\work.txt
NOTE
The following file types cannot be downloaded using this command from within Live Response:
Reparse point files
Sparse files
Empty files
Virtual files, or files that are not fully present locally
These file types are supported by PowerShell.
Use PowerShell as an alternative, if you have problems using this command from within Live Response.
processes
# Show all processes
processes
putfile
# Upload file from library
putfile get-process-by-name.ps1
# Upload file from library, overwrite file if it exists
putfile get-process-by-name.ps1 -overwrite
registry
# Show information about the values in a registry key
registry HKEY_CURRENT_USER\Console
remediate
# Remediate file in specific path
remediate file c:\Users\user\Desktop\malware.exe
run
# Run PowerShell script from the library without arguments
run script.ps1
scheduledtask
# Get all scheduled tasks
scheduledtasks
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
Shadow protection is currently in limited private preview.
To get the best protection, deploy Microsoft Defender ATP baselines. And see Better together: Windows Defender
Antivirus and Microsoft Defender Advanced Threat Protection.
NOTE
Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or
group policies to turn shadow protection on or off.
Windows Defender Antivirus antimalware client To make sure your client is up to date, using PowerShell, run
the Get-MpComputerStatus cmdlet as an administrator. In the
AMProductVersion line, you should see 4.18.2001.10 or
above.
Windows Defender Antivirus engine To make sure your engine is up to date, using PowerShell, run
the Get-MpComputerStatus cmdlet as an administrator. In the
AMEngineVersion line, you should see 1.1.16700.2 or
above.
IMPORTANT
To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other
essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See Protect security settings with
tamper protection
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have
the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information
are protected.
Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of
sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information
such as confidential information.
NOTE
Labels are detected for Windows 10, version 1809 or later.
4. Select the Machines tab to identify machines storing files with sensitivity labels.
5. Select the machines that store sensitive data and search through the timeline to identify which files may be
impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the machine timeline by searching for data sensitivity labels.
Doing this will show only events associated with files that have said label name.
TIP
These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and
schedule detection to take into account sensitivity labels and file protection status.
Create custom reports using Power BI
1/7/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example
demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Click Done
Click Edit Credentials
Now the results of your query will appear as table and you can start build visualizations on top of it!
You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would
like.
let
Query = "MachineActions",
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
WARNING
This connector is being deprecated, learn how to Create Power-BI reports using Microsoft Defender ATP APIs.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Microsoft Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
NOTE
Loading your data in the Power BI service can take a few minutes.
4. Click Sign in . If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in
and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft
Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
5. Click Accept . Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
8. Click Accept . Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory [Documents]\Power BI Desktop\Custom Connectors .
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors .
8. Select New table and matrix visuals and Custom data connectors and click OK .
NOTE
If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select (Not
Recommended) Allow any extension to load without warning under Power BI Desktop > File > Options and
settings > Options > Security > Data Extensions ".
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals . You'll only need to select Custom data connectors .
9. Restart Power BI Desktop.
5. Click Accept . Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your
reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Related topic
Create custom Power BI reports
Threat protection report in Microsoft Defender ATP
11/26/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The threat protection report provides high-level information about alerts generated in your organization. The
report includes trending information showing the detection sources, categories, severities, statuses, classifications,
and determinations of alerts across time.
The dashboard is structured into two sections:
1 Alerts trends
2 Alert summary
Alert trends
By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain
better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the
time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
NOTE
These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
Alert summary
While the alert trends shows trending alert information, the alert summary shows alert information scoped to the
current day.
The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it.
For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results
showing only alerts generated from EDR detections.
NOTE
The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is
November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
The filter applied on the trends section is not applied on the summary section.
Alert attributes
The report is made up of cards that display the following alert attributes:
Detection sources : shows information about the sensors and detection technologies that provide the data
used by Microsoft Defender ATP to trigger alerts.
Threat categories : shows the types of threat or attack activity that triggered alerts, indicating possible
focus areas for your security operations.
Severity : shows the severity level of alerts, indicating the collective potential impact of threats to your
organization and the level of response needed to address them.
Status : shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of
automated remediation (if enabled).
Classification & determination : shows how you have classified alerts upon resolution, whether you have
classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show
the determination of resolved alerts, providing additional insight like the types of actual threats found or the
legitimate activities that were incorrectly detected.
Filter data
Use the provided filters to include or exclude alerts with certain attributes.
NOTE
These filters apply to all the cards in the report.
Related topic
Machine health and compliance report
Machine health and compliance report in Microsoft
Defender ATP
11/26/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The machines status report provides high-level information about the devices in your organization. The report
includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10
versions.
The dashboard is structured into two sections:
1 Machine trends
Machine trends
By default, the machine trends displays machine information from the 30-day period ending in the latest full day.
To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by
adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom
NOTE
These filters are only applied on the machine trends section. It doesn't affect the machine summary section.
Machine summary
While the machines trends shows trending machine information, the machine summary shows machine
information scoped to the current day.
NOTE
The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is
March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27,
2019.
The filter applied on the trends section is not applied on the summary section.
The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it.
For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with
results showing only machines whose sensor status is inactive.
Machine attributes
The report is made up of cards that display the following machine attributes:
Health state : shows information about the sensor state on devices, providing an aggregated view of
devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
Antivirus status for active Windows 10 machines : shows the number of machines and status of
Windows Defender Antivirus.
OS platforms : shows the distribution of OS platforms that exists within your organization.
Windows 10 versions : shows the distribution of Windows 10 machines and their versions in your
organization.
Filter data
Use the provided filters to include or exclude machines with certain attributes.
You can select multiple filters to apply from the machine attributes.
NOTE
These filters apply to all the cards in the report.
For example, to show data about Windows 10 machines with Active sensor health state:
1. Under Filters > Sensor health state > Active .
2. Then select OS platforms > Windows 10 .
3. Select Apply .
Related topic
Threat protection report
Custom detections overview
1/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
With custom detections, you can proactively monitor for and respond to various events and system states,
including suspected breach activity and misconfigured machines. This is made possible by customizable detection
rules that automatically trigger alerts as well as response actions.
Custom detections work with Advanced hunting, which provides a powerful, flexible query language that covers a
broad set of event and system information from your network. You can set them to run at regular intervals,
generating alerts and taking response actions whenever there are matches.
Custom detections provide:
Alerts for rule-based detections built from advanced hunting queries
Automatic response actions that apply to files and machines
NOTE
To create and manage custom detections, your role needs to have the manage security settings permission.
Related topic
Create and manage custom detection rules
Advanced hunting overview
Create and manage custom detection rules
3/24/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Custom detection rules built from Advanced hunting queries let you proactively monitor various events and
system states, including suspected breach activity and misconfigured machines. You can set them to run at regular
intervals, generating alerts and taking response actions whenever there are matches.
NOTE
To create and manage custom detections, your role needs to have the manage security settings permission.
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5
TIP
To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
Related topic
Custom detections overview
Advanced hunting overview
Learn the advanced hunting query language
View and organize alerts
Overview of automated investigations
2/21/2020 • 4 minutes to read • Edit Online
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on
multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts
generated can be challenging for a typical security operations team to individually address. To address this
challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly
reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts
(such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This
significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats
and other high value initiatives. The Automated investigations list shows all the investigations that were
initiated automatically, and includes details, such as status, detection source, and when the investigation was
initiated.
TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
NOTE
Currently, automated investigation only supports the following OS versions:
Windows Server 2019
Windows 10, version 1709 (OS Build 16299.1085 with KB4493441) or later
Windows 10, version 1803 (OS Build 17134.704 with KB4493464) or later
Later versions of Windows 10
TA B DESC RIP T IO N
IMPORTANT
Go to the Action center to get an aggregated view all pending actions and manage remediation actions. The Action
center also acts as an audit trail for all automated investigation actions.
Semi - require approval for any remediation This is the default automation level.
Semi - require approval for non-temp folders remediation An approval is required on files or executables that are not
in temporary folders.
Semi - require approval for core folders remediation An approval is required on files or executables that are in
the operating system directories such as Windows folder
and Program files folder.
Full - remediate threats automatically All remediation actions will be performed automatically.
TIP
For more information on how to configure these automation levels, see Create and manage machine groups.
The default machine group is configured for semi-automatic remediation. This means that any malicious entity
that calls for remediation requires an approval and the investigation is added to the Pending actions section.
This can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the Entities
tab of the investigation.
Next step
Learn about the automated investigations dashboard
Related articles
Automated investigation and response in Office 365 Advanced Threat Protection
Automated investigation and response in Microsoft Threat Protection
Proactively hunt for threats with advanced
hunting
3/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You
can proactively inspect events in your network to locate interesting indicators and entities. The flexible
access to data facilitates unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically
to check for and respond to various events and system states, including suspected breach activity and
misconfigured machines.
You can also go through each of the following steps to ramp up your advanced hunting knowledge.
Get a feel for the language Advanced hunting is based on the Query language overview
Kusto query language, supporting
the same syntax and operators. Start
learning the query language by
running your first query.
Learn how to use the quer y Learn about charts and various ways Work with query results
results you can view or export your results.
Explore how you can quickly tweak
queries and drill down to get richer
information.
Learn about custom detections Understand how you can use - Custom detections overview
advanced hunting queries to trigger - Custom detection rules
alerts and apply response actions
automatically.
Related topics
Learn the query language
Work with query results
Use shared queries
Understand the schema
Apply query best practices
Custom detections overview
Learn the advanced hunting query language
3/26/2020 • 4 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Advanced hunting is based on the Kusto query language. You can use Kusto syntax and operators to construct
queries that locate information in the schema specifically structured for advanced hunting. To understand these
concepts better, run your first query.
The query itself will typically start with a table name followed by a series of elements started by a pipe ( | ). In
this example, we start by creating a union of two tables, DeviceProcessEvents and DeviceNetworkEvents , and
add piped elements as needed.
Click Run quer y to see the results. Select the expand icon at the top right of the query editor to focus on your
hunting query and the results.
TIP
You can view query results as charts and quickly adjust filters. For guidance, read about working with query results
To see a live example of these operators, run them from the Get star ted section of the advanced hunting page.
Related topics
Advanced hunting overview
Work with query results
Understand the schema
Apply query best practices
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
While you can construct your advanced hunting queries to return very precise information, you can also work
with the query results to gain further insight and investigate specific activities and indicators. You can take the
following actions on your query results:
View results as a table or chart
Export tables and charts
Drill down to detailed entity information
Tweak your queries directly from the results or apply filters
Column char t Renders a series of unique items on the x-axis as vertical bars
whose heights represent numeric values from another field
Stacked column char t Renders a series of unique items on the x-axis as stacked
vertical bars whose heights represent numeric values from
one or more other fields
Pie char t Renders sectional pies representing unique items. The size of
each pie represents numeric values from another field.
Donut char t Renders sectional arcs representing unique items. The length
of each arc represents numeric values from another field.
Line char t Plots numeric values for a series of unique items and connects
the plotted values
Area char t Plots numeric values for a series of unique items and fills the
sections below the plotted values
DeviceAlertEvents
| summarize Total = count() by Severity
When rendering the results, a column chart displays each severity value as a separate column:
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by OSPlatform, Severity
DeviceAlertEvents
| join DeviceInfo on DeviceId
| summarize Count = count() by MachineGroup
| top 10 by Count
Use the pie chart view to effectively show distribution across the top groups:
The line chart below clearly highlights time periods with more detections of the test malware:
Line chart showing the number of detections of a test malware over time
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
Related topics
Advanced hunting overview
Learn the query language
Use shared queries
Understand the schema
Apply query best practices
Custom detections overview
Use shared queries in advanced hunting
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Advanced hunting queries can be shared among users in the same organization. You can also find queries shared
publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write
queries from scratch.
2. Select Delete and confirm deletion. Or select Rename and provide a new name for the query.
Related topics
Advanced hunting overview
Learn the query language
Understand the advanced hunting schema
3/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The advanced hunting schema is made up of multiple tables that provide either event information or
information about machines and other entities. To effectively build queries that span multiple tables, you need
to understand the tables and the columns in the advanced hunting schema.
Schema tables
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page
describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema
representation on the advanced hunting screen.
TA B L E N A M E DESC RIP T IO N
Related topics
Advanced hunting overview
Work with query results
Learn the query language
DeviceAlertEvents
1/23/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceAlertEvents table in the advanced hunting schema contains information about alerts in Microsoft
Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceFileEvents
3/26/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification,
and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceImageLoadEvents
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceImageLoadEvents table in the advanced hunting schema contains information about DLL loading events.
Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceLogonEvents table in the advanced hunting schema contains information about user logons and other
authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceInfo
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceInfo table in the advanced hunting schema contains information about machines in the organization,
including their OS version, active users, and computer name. Use this reference to construct queries that return
information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceNetworkInfo
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceNetworkInfo table in the advanced hunting schema contains information about networking
configuration of machines, including network adapters, IP and MAC addresses, and connected networks or
domains. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceEvents
3/26/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The miscellaneous device events or DeviceEvents table in the advanced hunting schema contains information
about various event types, including events triggered by security controls, such as Windows Defender Antivirus
and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceFileCertificateInfoBeta
1/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceFileCertificateInfoBeta table in the advanced hunting schema contains information about file signing
certificates. This table uses data obtained from certificate verification activities regularly performed on files on
endpoints.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceNetworkEvents
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceNetworkEvents table in the advanced hunting schema contains information about network connections
and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceProcessEvents
3/26/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceProcessEvents table in the advanced hunting schema contains information about process creation and
related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceRegistryEvents
3/26/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The DeviceRegistryEvents table in the advanced hunting schema contains information about the creation and
modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
DeviceTvmSoftwareInventoryVulnerabilities
2/14/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema contains the Threat &
Vulnerability Management inventory of software on your devices as well as any known vulnerabilities in these
software products. This table also includes operating system information, CVE IDs, and vulnerability severity
information. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
DeviceTvmSoftwareVulnerabilitiesKB
1/23/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema contains the list of vulnerabilities
Threat & Vulnerability Management assesses devices for. Use this reference to construct queries that return
information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security
configuration from Threat & Vulnerability Management. Use this reference to check the latest assessment results
and determine whether devices are compliant.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
DeviceTvmSecureConfigurationAssessmentKB
1/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema contains information about
the various secure configurations — such as whether a device has automatic updates on — checked by Threat &
Vulnerability Management. It also includes risk information, related industry benchmarks, and applicable MITRE
ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
Advanced hunting query best practices
3/26/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
TIP
For more guidance on improving query performance, read Kusto query best practices.
DeviceNetworkEvents
| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime,
InitiatingProcessFileName
| where RemoteIPCount > 10
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Microsoft Threat Experts
3/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs)
with expert level monitoring and analysis to help them ensure that critical threats in their unique environments
don’t get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to
experts on demand.
Watch this video for a quick overview of Microsoft Threat Experts.
Related topic
Configure Microsoft Threat Experts capabilities
Track and respond to emerging threats with threat
analytics
2/12/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their
security posture, covering the impact of emerging threats and their organizational resilience.
Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and
outbreaks are identified. The reports help you assess the impact of threats to your environment and identify
actions that can contain them.
Watch this short video to quickly understand how threat analytics can help you track the latest threats and stop
them.
Select a threat on any of the overviews or on the table to view the report for that threat.
View a threat analytics report
Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used
by the threat. It also provides worldwide impact information, mitigation recommendations, and detection
information. It includes several cards that show dynamic data about how your organization is impacted by the
threat and how prepared it is to stop the threat.
Organizational impact
Each report includes cards designed to provide information about the organizational impact of a threat:
Machines with aler ts — shows the current number of distinct machines in your organization that have been
impacted by the threat. A machine is categorized as Active if there is at least 1 alert associated with that threat
and Resolved if all alerts associated with the threat on the machine have been resolved.
Machines with aler ts over time — shows the number of distinct machines with Active and Resolved
alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts
associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
Organizational resilience
Each report also includes cards that provide an overview of how resilient your organization can be against a
given threat:
Mitigation status — shows the number of machines that have and have not applied mitigations for the
threat. Machines are considered mitigated if they have all the measurable mitigations in place.
Vulnerability patching status — shows the number of machines that have applied security updates or
patches that address vulnerabilities exploited by the threat.
Mitigation recommendations — lists specific actionable recommendations to improve your visibility into
the threat and increase your organizational resilience. This card lists only measurable mitigations along with
the number of machines that don't have these mitigations in place.
IMPORTANT
Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has
applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions
needed to improve resiliency.
NOTE
Machines are counted as "unavailable" if they have been unable to transmit data to the service.
Onboard machines to the Microsoft Defender ATP
service
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported
devices. Depending on the device, you'll be guided with appropriate steps and provided management and
deployment tool options suitable for the device.
In general, to onboard devices to the service:
Verify that the device fulfills the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft
Defender ATP portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service
In this section
TO P IC DESC RIP T IO N
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Microsoft
Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Microsoft Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Onboard servers Onboard Windows Server 2012 R2 and Windows Server 2016
to Microsoft Defender ATP
TO P IC DESC RIP T IO N
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Microsoft Defender ATP service.
Configure proxy and Internet settings Enable communication with the Microsoft Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.
Applies to:
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack
detection and investigation capabilities on supported Windows versions.
IMPORTANT
This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more
information, see Preview features.
To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
Configure and update System Center Endpoint Protection clients.
Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as
instructed below.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information,
see Allow connections to the Windows Defender Antivirus cloud
Install and configure Microsoft Monitoring Agent (MMA) to report
sensor data to Microsoft Defender ATP
Before you begin
Review the following details to verify minimum system requirements:
Install the February 2018 monthly update rollup
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. Don't install .NET Framework 4.0.x, since it will
negate the above installation.
Meet the Azure Log Analytics agent minimum system requirements. For more information, see Collect data
from computers in you environment with Log Analytics
1. Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent.
2. Obtain the workspace ID:
In the Microsoft Defender ATP navigation pane, select Settings > Machine management >
Onboarding
Select Windows 7 SP1 and 8.1 as the operating system
Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the
agent:
Manually install the agent using setup
On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS)
Install the agent using command line and configure the agent using a script
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Configure proxy and Internet connectivity settings
Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that you enable access to Microsoft Defender ATP service URLs.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor
data from them. There are various methods and deployment tools that you can use to configure the machines in
your organization.
The following deployment tools and methods are supported:
Group Policy
Microsoft Endpoint Configuration Manager
Mobile Device Management (including Microsoft Intune)
Local script
In this section
TO P IC DESC RIP T IO N
Onboard Windows 10 machines using Group Policy Use Group Policy to deploy the configuration package on
machines.
Onboard Windows machines using Microsoft Endpoint You can use either use Microsoft Endpoint Configuration
Configuration Manager Manager (current branch) version 1606 or Microsoft
Endpoint Configuration Manager (current branch) version
1602 or earlier to deploy the configuration package on
machines.
Onboard Windows 10 machines using Mobile Device Use Mobile Device Management tools or Microsoft Intune
Management tools to deploy the configuration package on machine.
Onboard Windows 10 machines using a local script Learn how to use the local script to deploy the configuration
package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) Learn how to use the configuration package to configure
machines VDI machines.
Applies to:
Group Policy
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT
AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
TIP
After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded
to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.
NOTE
If you don't set a value, the default value is to enable sample collection.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.
1. Get the offboarding package from Microsoft Defender Security Center:
a. In the navigation pane, select Settings > Offboarding .
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Group policy .
d. Click Download package and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine.
You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
3. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you
want to configure and click Edit .
4. In the Group Policy Management Editor , go to Computer configuration, then Preferences , and
then Control panel settings .
5. Right-click Scheduled tasks , point to New , and then click Immediate task .
6. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account
(BUILTIN\SYSTEM) under Security options .
7. Select Run whether user is logged on or not and check the Run with highest privileges check-
box.
8. Go to the Actions tab and click New.... Ensure that Star t a program is selected in the Action field.
Enter the file name and location of the shared
WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file.
9. Click OK and close any open GPMC windows.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including
reference to any alerts it has had will be retained for up to 6 months.
NOTE
It can take several days for machines to start showing on the Machines list . This includes the time it takes for the
policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint
to start reporting.
Related topics
Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machines
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using Configuration
Manager
2/8/2020 • 5 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Endpoint Configuration Manager current branch
System Center 2012 R2 Configuration Manager
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.
Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine
has been onboarded. An application is a different type of object than a package and program. If a machine is not yet
onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the
machine until the rule detects the status change.
This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type
REG_DWORD) = 1. This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat
Protection\Status". For more information, see Configure Detection Methods in System Center 2012 R2 Configuration
Manager.
Where:
Key type is a D-WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
For more information about System Center Configuration Manager Compliance see Introduction to compliance
settings in System Center 2012 R2 Configuration Manager.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.
Check that the machines are compliant with the Microsoft Defender ATP service
You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor
your deployment.
This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry key
on targeted machines.
Monitor the following registry key entry:
For more information, see Introduction to compliance settings in System Center 2012 R2 Configuration Manager.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using Mobile Device
Management tools
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP
supports MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Microsoft Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.
NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.
NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Onboard Windows 10 machines using a local script
2/7/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first
when testing the service before you commit to onboarding all machines in your network.
NOTE
The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other
deployment options. For more information on using other deployment options, see Onboard Window 10 machines.
Onboard machines
1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding .
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Local Script .
d. Click Download package and save the .zip file.
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for
example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to Star t and type cmd .
b. Right-click Command prompt and select Run as administrator .
4. Type the location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd
5. Press the Enter key or click OK .
For information on how you can manually validate that the machine is compliant and correctly reports sensor
data see, Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues.
TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.
Where:
Name type is a D-WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.
IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Onboard non-persistent virtual desktop
infrastructure (VDI) machines
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Virtual desktop infrastructure (VDI) machines
WARNING
For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender
ATP sensor onboarding.
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding .
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints .
d. Click Download package and save the .zip file.
2. Copy the extracted files from the .zip into image under the path
golden/master
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup . You should have a folder called
WindowsDefenderATPOnboardingPackage containing the file WindowsDefenderATPOnboardingScript.cmd .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine:
For single entr y for each machine :
a. From the WindowsDefenderATPOnboardingPackage , copy the Onboard-NonPersistentMachine.ps1 file to
golden/master image to the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .
NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.
4. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows
Settings > Scripts > Star tup .
NOTE
Domain Group Policy may also be used for onboarding non-persistent VDI machines.
5. Depending on the method you'd like to implement, follow the appropriate steps:
For single entr y for each machine :
Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where
you copied the onboarding script earlier). Navigate to onboarding PowerShell script
Onboard-NonPersistentMachine.ps1 .
Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Onboard servers to the Microsoft Defender ATP
service
4/2/2020 • 8 minutes to read • Edit Online
Applies to:
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019 and later
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing
advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security
Center console.
The service supports the onboarding of the following servers:
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server 2019 and later
For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows
Servers with Microsoft Defender ATP.
NOTE
An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows
Server platform, see Supported features available in Azure Security Center
NOTE
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.
IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Turn on Server monitoring from the Microsoft Defender Security Center portal
1. In the navigation pane, select Settings > Machine management > Onboarding .
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click Turn on ser ver monitoring and confirm that you'd like to proceed with the environment set up.
When the set up completes, the Workspace ID and Workspace key fields are populated with unique
values. You'll need to use these values to configure the MMA agent.
Install and configure Microsoft Monitoring Agent (MMA ) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: Windows 64-bit agent.
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the
following installation methods to install the agent on the server:
Manually install the agent using setup
On the Agent Setup Options page, choose Connect the agent to Azure Log Analytics (OMS) .
Install the agent using the command line and configure the agent using a script.
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see
Configure proxy settings.
Once completed, you should see onboarded servers in the portal within an hour.
Configure server proxy and Internet connectivity settings
Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using
a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that you enable access to Microsoft Defender ATP service
URLs.
NOTE
The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a
script. For more information on how to deploy scripts in Configuration Manager, see Packages and programs in
Configuration Manager.
c. Confirm that a recent event containing the passive mode event is found:
If the result is ‘The specified service does not exist as an installed service’, then you'll need to install
Windows Defender AV. For more information, see Windows Defender Antivirus in Windows 10.
NOTE
Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure
Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across
clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center
console.
Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to
perform detailed investigation to uncover the scope of a potential breach
IMPORTANT
When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The
Microsoft Defender ATP data is stored in Europe by default.
If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you
specified when you created your tenant even if you integrate with Azure Security Center at a later time.
Offboard servers
You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows
10 client machines.
For other server versions, you have two options to offboard servers from the service:
Uninstall the MMA agent
Remove the Microsoft Defender ATP workspace configuration
NOTE
Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any
alerts it has had will be retained for up to 6 months.
Related topics
Onboard Windows 10 machines
Onboard non-Windows machines
Configure proxy and Internet connectivity settings
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues
Onboard non-Windows machines
9/26/2019 • 2 minutes to read • Edit Online
Applies to:
macOS
Linux
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft
Defender Security Center and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP
for the integration to work.
Related topics
Onboard Windows 10 machines
Onboard servers
Configure proxy and Internet connectivity settings
Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues
Onboard machines without Internet access to
Microsoft Defender ATP
3/23/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
To onboard machines without Internet access, you'll need to take the following general steps:
IMPORTANT
The steps below are applicable only to machines running previous versions of Windows such as: Windows Server 2016 and
earlier or Windows 8.1 and earlier.
NOTE
An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via
'TelemetryProxyServer' registry or GPO.
On-premise machines
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP Workspace key
& ID
Offline machines in the same network of Azure Log Analytics
Configure MMA to point to:
Azure Log Analytics IP as a proxy
Microsoft Defender ATP workspace key & ID
Applies to:
Supported Windows 10 versions
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the
Microsoft Defender ATP service.
1. Create a folder: 'C:\test-WDATP-test'.
2. Open an elevated command-line prompt on the machine and run the script:
a. Go to Star t and type cmd .
b. Right-click Command Prompt and select Run as administrator .
The Command Prompt window will close automatically. If successful, the detection test will be marked as
completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
Related topics
Onboard Windows 10 machines
Onboard servers
Experience Microsoft Defender ATP through
simulated attacks
12/6/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.
You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the
service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated
attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an
efficient response.
Run a simulation
1. In Help > Simulations & tutorials , select which of the available attack scenarios you would like to
simulate:
Scenario 1: Document drops backdoor - simulates delivery of a socially engineered lure
document. The document launches a specially crafted backdoor that gives attackers control.
Scenario 2: PowerShell script in fileless attack - simulates a fileless attack that relies on
PowerShell, showcasing attack surface reduction and machine learning detection of malicious
memory activity.
Scenario 3: Automated incident response - triggers automated investigation, which
automatically hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to Help > Simulations &
tutorials . You can choose to download the file or script on the test machine but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
NOTE
Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Related topics
Onboard machines
Onboard Windows 10 machines
Configure machine proxy and Internet connectivity
settings
4/6/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor
uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP
cloud service.
TIP
For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate
behind a proxy. For more information, see Investigate connection events that occur behind forward proxies.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy
settings and can only discover a proxy server by using the following discovery methods:
Auto-discovery methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD)
NOTE
If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration
settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see Enable access to
Microsoft Defender ATP service URLs in the proxy server.
Administrative Templates > Windows Components > Data Collection and Preview Builds >
Configure connected user experiences and telemetr y :
Configure the proxy:
The policy sets two registry values TelemetryProxyServer as REG_SZ and
DisableEnterpriseAuthProxy as REG_DWORD under the registry key
HKLM\Software\Policies\Microsoft\Windows\DataCollection .
NOTE
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-
based static proxy configuration.
NOTE
settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For
example, us-v20.events.data.microsoft.com is needed for a Windows 10 machine running version 1803 or later and
onboarded to US Data Storage region.
SERVIC E LO C AT IO N M IC RO SO F T. C O M DN S REC O RD
NOTE
If you are using Windows Defender Antivirus in your environment, please refer to the following article for details on
allowing connections to the Windows Defender Antivirus cloud service:
https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-
connections-windows-defender-antivirus
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system
context, make sure anonymous traffic is permitted in the previously listed URLs.
Log analytics agent requirements
The information below list the proxy and firewall configuration information required to communicate with Log
Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as
Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
NOTE
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
HardDrivePath\MDATPClientAnalyzer.cmd
Replace HardDrivePath with the path where the MDATPClientAnalyzer tool was downloaded to, for
example
C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
5. Extract the MDATPClientAnalyzerResult.zip file created by tool in the folder used in the HardDrivePath.
6. Open MDATPClientAnalyzerResult.txt and verify that you have performed the proxy configuration steps to
enable server discovery and access to the service URLs.
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP
client is configured to interact with. It then prints the results into the MDATPClientAnalyzerResult.txt file for
each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For
example:
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can
communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes).
You can then use the URLs in the table shown in Enable access to Microsoft Defender ATP service URLs in the
proxy server. The URLs you'll use will depend on the region selected during the onboarding procedure.
NOTE
The Connectivity Analyzer tool is not compatible with ASR rule Block process creations originating from PSExec and WMI
commands. You will need to temporarily disable this rule to run the connectivity tool. When the TelemetryProxyServer is
set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
Related topics
Onboard Windows 10 machines
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Create a notification rule when a local onboarding or
offboarding script is used
11/7/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
{
{
"type": "object",
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"computerDnsName": {
"type": "string"
},
"firstSeen": {
"type": "string"
},
"lastSeen": {
"type": "string"
},
"osPlatform": {
"type": "string"
},
"osVersion": {},
"lastIpAddress": {
"type": "string"
},
"lastExternalIpAddress": {
"type": "string"
},
"agentVersion": {
"type": "string"
},
"osBuild": {
"type": "integer"
},
"healthStatus": {
"type": "string"
},
"riskScore": {
"type": "string"
},
"exposureScore": {
"type": "string"
},
"aadDeviceId": {},
"machineTags": {
"type": "array"
}
},
"required": [
"id",
"computerDnsName",
"firstSeen",
"lastSeen",
"osPlatform",
"osVersion",
"lastIpAddress",
"lastExternalIpAddress",
"agentVersion",
"osBuild",
"healthStatus",
"rbacGroupId",
"rbacGroupName",
"riskScore",
"exposureScore",
"aadDeviceId",
"aadDeviceId",
"machineTags"
]
}
}
}
}
10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the
SharePoint list as an example:
If yes, no notification will be triggered
If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the
Microsoft Defender ATP admin
11. Under Condition , add the following expression: "length(body('Get_items')?['value'])" and set the condition
to equal to 0.
Alert notification
The following image is an example of an email notification.
Tips
You can filter here using lastSeen only:
Every 60 min:
Take all machines last seen in the past 7 days.
For each machine:
If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for
offboarding possibility.
If first seen is on the past hour -> Alert for onboarding.
In this solution you will not have duplicate alerts: There are tenants that have numerous machines. Getting all those
machines might be very expensive and might require paging.
You can split it to two queries:
1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is
on the past hour, the last seen must be there too).
Troubleshoot Microsoft Defender Advanced Threat Protection
onboarding issues
4/7/2020 • 14 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Windows Server 2012 R2
Windows Server 2016
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. This page provides detailed steps
to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur
on the machines.
NOTE
The following event IDs are specific to the onboarding script only.
5 Offboarding data was found but couldn't be Check the permissions on the registry, specifically
deleted HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat Protection
.
EVEN T ID ERRO R T Y P E RESO L UT IO N ST EP S
10 Onboarding data couldn't be written to registry Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat Protection
.
Verify that the script has been run as an
administrator.
15 Failed to start SENSE service Check the service health ( sc query sense
command). Make sure it's not in an intermediate
state ('Pending_Stopped', 'Pending_Running') and
try to run the script again (with administrator
rights).
15 Failed to start SENSE service If the message of the error is: System error 577
or error 1058 has occurred. You need to enable
the Windows Defender Antivirus ELAM driver,
see Ensure that Windows Defender Antivirus is
not disabled by a policy for instructions.
30 The script failed to wait for the service to start The service could have taken more time to start
running or has encountered errors while trying to start.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
35 The script failed to find needed onboarding When the SENSE service starts for the first time,
status registry value it writes onboarding status to the registry
location
HKLM\SOFTWARE\Microsoft\Windows Advanced
Threat Protection\Status
.
The script failed to find it after several seconds.
You can manually test it and check if it's there.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
40 SENSE service onboarding status is not set to 1 The SENSE service has failed to onboard properly.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.
Troubleshooting steps:
Check the event IDs in the
View agent onboarding
errors in the machine event
log section.
Troubleshooting steps:
Ensure that the following
registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr
Advanced Threat Protection
Troubleshooting steps:
Check the troubleshooting
steps in Troubleshoot
onboarding issues on the
machine.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Server is not supported.
Currently is supported
platforms: Enterprise,
Education, and Professional.
Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.
1 Machine is compliant by SenseIsRunning OMA- Possible cause: Check that user passed OOBE
URI. But is non-compliant by OrgId, Onboarding after Windows installation or upgrade. During
and OnboardingState OMA-URIs. OOBE onboarding couldn't be completed but
SENSE is running already.
2 Machine is compliant by OrgId, Onboarding, and Possible cause: Sense service's startup type is
OnboardingState OMA-URIs, but is non- set as "Delayed Start". Sometimes this causes the
compliant by SenseIsRunning OMA-URI. Microsoft Intune server to report the machine as
non-compliant by SenseIsRunning when DM
session occurs on system start.
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
5 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access.
service failed to connect to the server at variable
6 Microsoft Defender Advanced Threat Protection Run the onboarding script again.
service is not onboarded and no onboarding
parameters were found. Failure code: variable
7 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access, then run
service failed to read the onboarding parameters. the entire onboarding process again.
Failure code: variable
9 Microsoft Defender Advanced Threat Protection If the event happened during onboarding, reboot
service failed to change its start type. Failure and re-attempt running the onboarding script.
code: variable For more information, see Run the onboarding
script again.
10 Microsoft Defender Advanced Threat Protection If the event happened during onboarding, re-
service failed to persist the onboarding attempt running the onboarding script. For more
information. Failure code: variable information, see Run the onboarding script again.
15 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access.
cannot start command channel with URL:
variable
17 Microsoft Defender Advanced Threat Protection Run the onboarding script again. If the problem
service failed to change the Connected User persists, contact support.
Experiences and Telemetry service location.
Failure code: variable
29 Failed to read the offboarding parameters. Error Ensure the machine has Internet access, then run
type: %1, Error code: %2, Description: %3 the entire offboarding process again.
32 $(build.sense.productDisplayName) service failed Verify that the service start type is manual and
to request to stop itself after offboarding reboot the machine.
process. Failure code: %1
63 Updating the start type of external service. Identify what is causing changes in start type of
Name: %1, actual start type: %2, expected start mentioned service. If the exit code is not 0, fix
type: %3, exit code: %4 the start type manually to expected start type.
64 Starting stopped external service. Name: %1, exit Contact support if the event keeps re-appearing.
code: %2
68 The start type of the service is unexpected. Identify what is causing changes in start type. Fix
Service name: %1, actual start type: %2, expected mentioned service start type.
start type: %3
69 The service is stopped. Service name: %1 Start the mentioned service. Contact support if
persists.
There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no
onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional
components are configured correctly.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start
and is running on the machine. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently
running (and start it if it isn't).
Ensure the service is set to start
Use the command line to check the Windows 10 diagnostic data ser vice star tup type :
1. Open an elevated command-line prompt on the machine:
a. Click Star t , type cmd , and press Enter .
b. Right-click Command prompt and select Run as administrator .
2. Enter the following command, and press Enter :
sc qc diagtrack
If the service is enabled, then the result should look like the following screenshot:
If the START_TYPE is not set to AUTO_START , then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data ser vice to automatically star t:
1. Open an elevated command-line prompt on the machine:
a. Click Star t , type cmd , and press Enter .
b. Right-click Command prompt and select Run as administrator .
2. Enter the following command, and press Enter :
3. A success message is displayed. Verify the change by entering the following command, and press Enter :
sc qc diagtrack
sc start diagtrack
Check Event Viewer > Applications and Ser vices Logs > Operation Manager to see if there are any errors.
In Ser vices , check if the Microsoft Monitoring Agent is running on the server. For example,
In Microsoft Monitoring Agent > Azure Log Analytics (OMS) , check the Workspaces and verify that the status is running.
Check to see that machines are reflected in the Machines list in the portal.
NOTE
The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch)
6. Select Manually specify the deployment type information , then select Next .
7. Specify information about the deployment type, then select Next .
8. In Content > Installation program specify the command: net start sense .
9. In Detection method , select Configure rules to detect the presence of this deployment type , then select Add Clause .
12. In User Experience , specify the following information, then select Next :
13. In Requirements , select Next .
21. In General select Automatically distribute content for dependencies and Browse .
22. In Content select Next .
25. In User experience , select Commit changes at deadline or during a maintenance window (requires restar ts) , then select
Next .
26. In Aler ts select Next .
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender
ATP service.
If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the
issue is and relevant links will be supplied.
No subscriptions found
If while accessing Microsoft Defender Security Center you get a No subscriptions found message, it means the
Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license.
Potential reasons:
The Windows E5 and Office E5 licenses are separate licenses.
The license was purchased but not provisioned to this AAD instance.
It could be a license provisioning issue.
It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for
authentication into the service.
For both cases you should contact Microsoft support at General Microsoft Defender ATP Support or Volume license
support.
Related topics
Validate licensing provisioning and complete setup for Microsoft Defender ATP
Ensure your machines are configured properly
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to
detect and respond to attacks. Security configuration management helps ensure that your machines:
Onboard to Microsoft Defender ATP
Meet or exceed the Microsoft Defender ATP security baseline configuration
Have strategic attack surface mitigations in place
NOTE
To enroll Windows devices to Intune, administrators must have already been assigned licenses. Read about assigning licenses
for device enrollment.
TIP
To optimize machine management through Intune, connect Intune to Microsoft Defender ATP.
TIP
To learn more about assigning permissions on Intune, read about creating custom roles.
In this section
TO P IC DESC RIP T IO N
Get machines onboarded to Microsoft Defender ATP Track onboarding status of Intune-managed machines and
onboard more machines through Intune.
TO P IC DESC RIP T IO N
Increase compliance to the Microsoft Defender ATP security Track baseline compliance and noncompliance. Deploy the
baseline security baseline to more Intune-managed machines.
Optimize ASR rule deployment and detections Review rule deployment and tweak detections using impact
analysis tools in Microsoft 365 security center.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility
over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable
components as well security configuration issues and can receive critical remediation actions during attacks.
Before you can track and manage onboarding of machines:
Enroll your machines to Intune management
Ensure you have the necessary permissions
Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine
NOTE
If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use
Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune
configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
Onboard more machines with Intune profiles
Microsoft Defender ATP provides several convenient options for onboarding Windows 10 machines. For Intune-
managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP
sensor to select machines, effectively onboarding these devices to the service.
From the Onboarding card, select Onboard more machines to create and assign a profile on Intune. The link
takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
TIP
Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the Microsoft Azure portal
from All ser vices > Intune > Device compliance > Microsoft Defender ATP .
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft
Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
Select Create a device configuration profile to configure ATP sensor to start with a predefined device
configuration profile.
Create the device configuration profile from scratch.
For more information, read about using Intune device configuration profiles to onboard machines to Microsoft
Defender ATP.
Related topics
Ensure your machines are configured properly
Increase compliance to the Microsoft Defender ATP security baseline
Optimize ASR rule deployment and detections
Increase compliance to the Microsoft Defender ATP
security baseline
12/3/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Security baselines ensure that security features are configured according to guidance from both security experts
and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets
Microsoft Defender ATP security controls to provide optimal protection.
To understand security baselines and how they are assigned on Intune using configuration profiles, read this FAQ.
Before you can deploy and track compliance to security baselines:
Enroll your machines to Intune management
Ensure you have the necessary permissions
Compare the Microsoft Defender ATP and the Windows Intune security
baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely
configure machines running Windows, including browser settings, PowerShell settings, as well as settings for
some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides
settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint
detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more
information about each baseline, see:
Windows security baseline settings for Intune
Microsoft Defender ATP baseline settings for Intune
Both baselines are maintained so that they complement one another and have identical values for shared settings.
Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft
Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and
then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender
ATP security controls.
NOTE
The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for
use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on
virtualized environments.
NOTE
You might experience discrepancies in aggregated data displayed on the machine configuration management page and
those displayed on overview screens in Intune.
TIP
Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from
All ser vices > Intune > Device security > Security baselines > Microsoft Defender ATP baseline .
TIP
Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. Learn more
about security baselines on Intune.
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Related topics
Ensure your machines are configured properly
Get machines onboarded to Microsoft Defender ATP
Optimize ASR rule deployment and detections
Optimize ASR rule deployment and detections
3/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Attack surface reduction (ASR) rules identify and prevent typical malware exploits. They control when and how
potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a
downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
The Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center
NOTE
To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on
Azure Active Directory. Read about required licenses and permissions.
For more information about ASR rule deployment in Microsoft 365 security center, see Monitor and manage ASR
rule deployment and detections.
Related topics
Ensure your machines are configured properly
Get machines onboarded to Microsoft Defender ATP
Monitor compliance to the Microsoft Defender ATP security baseline
Configure Microsoft Defender Security Center
settings
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Use the Settings menu to modify general settings, advanced features, enable the preview experience, email
notifications, and the custom threat intelligence feature.
In this section
TO P IC DESC RIP T IO N
General settings Modify your general settings that were previously defined as
part of the onboarding process.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After
onboarding, you might want to update the data retention settings.
1. In the navigation pane, select Settings > Data retention .
2. Select the data retention duration from the drop-down list.
NOTE
Other settings are not editable.
Related topics
Update data retention settings
Configure alert notifications in Microsoft Defender ATP
Enable and create Power BI reports using Microsoft Defender ATP data
Configure advanced features
Configure alert notifications in Microsoft Defender
ATP
2/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This
feature enables you to identify a group of individuals who will immediately be informed and can act on alerts
based on their severity.
NOTE
Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic
permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email
notification. New recipients get notified about alerts encountered after they are added. For more information
about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine
groups that were configured in the notification rule. Users with the proper permission can only create, edit, or
delete notifications that are limited to their machine group management scope. Only users assigned to the Global
administrator role can manage notification rules that are configured for all machine groups.
The email notification includes basic information about the alert and a link to the portal where you can do further
investigation.
Machines - Choose whether to notify recipients for alerts on all machines (Global administrator role
only) or on selected machine groups. For more information, see Create and manage machine groups.
Aler t severity - Choose the alert severity level.
4. Click Next .
5. Enter the recipient's email address then click Add recipient . You can add multiple email addresses.
6. Check that email recipients are able to receive the email notifications by selecting Send test email .
7. Click Save notification rule .
Here's an example email notification:
Related topics
Update data retention settings
Enable and create Power BI reports using Microsoft Defender ATP data
Configure advanced features
Create and build Power BI reports using Microsoft
Defender ATP data connectors (Deprecated)
12/23/2019 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
WARNING
This connector is being deprecated, learn how to Create Power-BI reports using Microsoft Defender ATP APIs.
Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Microsoft Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.
NOTE
Loading your data in the Power BI service can take a few minutes.
4. Click Sign in . If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign
in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing
Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.
5. Click Accept . Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
4. In the AppSource window, select Apps and search for Microsoft Defender Advanced Threat Protection.
8. Click Accept . Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, you’ll the following notification:
3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory [Documents]\Power BI Desktop\Custom Connectors .
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors .
8. Select New table and matrix visuals and Custom data connectors and click OK .
NOTE
If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select
(Not Recommended) Allow any extension to load without warning under Power BI Desktop > File > Options
and settings > Options > Security > Data Extensions ".
NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals . You'll only need to select Custom data connectors .
9. Restart Power BI Desktop.
5. Click Accept . Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your
reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.
Related topic
Create custom Power BI reports
Enable Secure Score security controls
2/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-party
solutions, consider excluding the corresponding controls from the calculations.
NOTE
Changes might take up to a few hours to reflect on the dashboard.
Related topics
View the Threat & Vulnerability Management dashboard
Update data retention settings for Microsoft Defender ATP
Configure alert notifications in Microsoft Defender ATP
Enable and create Power BI reports using Microsoft Defender ATP data
Configure advanced features in Microsoft Defender ATP
Configure advanced features in Microsoft
Defender ATP
3/24/2020 • 7 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Depending on the Microsoft security products that you use, some advanced features might be available for
you to integrate Microsoft Defender ATP with.
Use the following advanced features to get better protected from potentially malicious files and gain better
insight during security investigations:
Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and
remediation features of the service. For more information, see Automated investigation.
Live response
When you enable this feature, users with the appropriate permissions can initiate a live response session on
machines.
For more information on role assignments see, Create and manage roles.
TIP
For tenants created prior that version, you'll need to manually turn this feature on from the Advanced features page.
NOTE
The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active
alerts found on a machine.
If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve
capability will not overwrite it.
Allow or block file
Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware
solution, and if the cloud-based protection feature is enabled.
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it
from being read, written, or executed on machines in your organization.
To turn Allow or block files on:
1. In the navigation pane, select Settings > Advanced features > Allow or block file .
2. Toggle the setting between On and Off .
NOTE
Network protection leverages reputation services that process requests in locations that might be outside of the
location you have selected for your Microsoft Defender ATP data.
NOTE
When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and
Skype communications which allows communications to the user while they are disconnected from the network. This
setting applies to Skype and Outlook communication when machines are in isolation mode.
NOTE
You'll need to have the appropriate license to enable this feature.
NOTE
You'll need to have the appropriate license to enable this feature.
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft
Defender ATP settings in the Security & Compliance dashboard. For more information, see Office 365 Threat
Intelligence overview.
Microsoft Threat Experts
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while
experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you
have applied for preview and your application has been approved. You can receive targeted attack
notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard
and via email if you configure it.
NOTE
The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for Enterprise Mobility
+ Security.
NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10,
version 1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with
KB4493464), Windows 10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.
IMPORTANT
You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more
information on specific steps, see Configure Conditional Access in Microsoft Defender ATP.
Preview features
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try
upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall
experience before features are generally available.
Related topics
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Microsoft Defender ATP data
Use basic permissions to access the portal
12/26/2019 • 2 minutes to read • Edit Online
Applies to:
Azure Active Directory
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
You need to run the PowerShell cmdlets in an elevated command-line.
Connect to your Azure Active Directory. For more information see, Connect-MsolService.
Full access
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and
download the onboarding package. Assigning full access rights requires adding the users to the "Security
Administrator" or "Global Administrator" AAD built-in roles.
Read only access
Users with read only access can log in, view all alerts, and related information. They will not be able to change alert
states, submit files for deep analysis or perform any state changing operations. Assigning read only access rights
requires adding the users to the "Security Reader" AAD built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using the following command:
Related topic
Manage portal access using RBAC
Manage portal access using role-based access control
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to
grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control
over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access
to security portals. Typical tiers include the following three levels:
Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework
is centered around the following controls:
Control who can take specific action
Create custom roles and control what Microsoft Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign
Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences
of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure
AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access.
Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read
only access is granted to users with a Security Reader role in Azure AD.
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles
in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users
assigned to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role
with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security
Administrators to the Microsoft Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Microsoft Defender ATP
Create and manage roles for role-based access
control
3/25/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you
have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles .
2. Click Add role .
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.
NOTE
To view Threat & Vulnerability Management data, select Threat and vulnerability management .
Aler ts investigation - Users can manage alerts, initiate automated investigations, collect
investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or dismiss pending
remediation actions.
Security operations - Take response actions
Approve or dismiss pending remediation actions
Manage allowed/blocked lists for automation
Manage allowed/blocked create Indicators
NOTE
To enable your Security operation personnel to choose remediation options and file exceptions, select Threat
and vulnerability management - Remediation handling , and Threat and vulnerability
management - Exception handling .
Manage por tal system settings - Users can configure storage settings, SIEM and threat intel
API settings (applies globally), advanced settings, automated file uploads, roles and machine
groups.
NOTE
This setting is only available in the Microsoft Defender ATP administrator (default) role.
Manage security settings - Users can configure alert suppression settings, manage
allowed/blocked lists for automation, create and manage custom detections, manage folder
exclusions for automation, onboard and offboard machines, and manage email notifications.
Live response capabilities - Users can take basic or advanced live response commands.
Basic commands allow users to:
Start a live response session
Run read only live response commands on a remote machine
Advanced commands allow users to:
Run basic actions
Download a file from the remote machine
View a script from the files library
Run a script on the remote machine from the files library take read and write
commands.
For more information on the available commands, see Investigate machines using Live response.
4. Click Next to assign the role to an Azure AD Security group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
6. Click Save and close .
7. Apply the configuration settings.
IMPORTANT
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role
that you just created.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit .
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close .
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role .
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups
2/12/2020 • 3 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are
grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In Microsoft Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
Assign specific remediation levels to apply during automated investigations
In an investigation, filter the Machines list to just specific machine groups by using the Group filter.
You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or
see information by assigning the machine group(s) to a user group. For more information, see Manage portal
access using role-based access control.
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the User
access tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule,
it will be removed from that rule. If the machine group is the only group configured for an email notification, that email
notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default behavior by
assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot
change the rank of this group or delete it. However, you can change the remediation level of this group, and define
the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topics
Manage portal access using role-based based access control
Create and manage machine tags
Get list of tenant machine groups using Graph API
Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
Tags can be used as a filter in Machines list view, or to group machines. For more information on machine
grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value
NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine
page.
To add machine tags using API, see Add or remove machine tags API.
NOTE
Filtering might not work on tag names that contain parenthesis.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group
Registry key data: Name of the tag you want to set
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
Enable SIEM integration in Microsoft Defender ATP
12/11/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft
Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This
is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow
pop-ups for this site.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of
your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration . This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD) tenant.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the detections REST API through programmatic access, choose Generic
API .
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
detections from Microsoft Defender Security Center.
Related topics
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
Manage suppression rules
12/3/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create
suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your
organization. For more information on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert
suppression rule on or off.
1. In the navigation pane, select Settings > Aler t suppression . The list of suppression rules that users in
your organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
3. Click Turn rule on , Edit rule , or Delete rule . When making changes to a rule, you can choose to release
alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.
Related topics
Manage alerts
Manage indicators
4/1/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This
capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for
detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be
taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it
to.
Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated
investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).
Cloud detection engine
The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the
indicators you set. When there is a match, action will be taken according to the settings you specified for the
IoC.
Endpoint prevention engine
The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the
primary AV configured, the matched indicators will be treated according to the settings. For example, if the
action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a
corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV will
not detect nor block the file from being run.
Automated investigation and remediation engine
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated
investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and
remediation will treat it as "bad".
The current supported actions are:
Allow
Alert only
Alert and block
You can create an indicator for:
Files
IP addresses
URLs/domains
NOTE
There is a limit of 5000 indicators per tenant.
Create indicators for files
You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.
There are two ways you can create indicators for files:
By creating an indicator through the settings page
By creating a contextual indicator using the add indicator button from the file details page
Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection
is enabled. For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
Supported on machines on Windows 10, version 1703 or later.
To start blocking files, you first need to turn the Block or allow feature on in Settings.
This feature is designed to prevent suspected malware (or potentially malicious files) from being
downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files.
The coverage will be extended over time.
IMPORTANT
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action
Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to
block trusted signed files, in some cases, may have performance implications.
NOTE
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
IMPORTANT
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection
scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection
to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection
scenarios leverage Network Protection for inspection and enforcement:
NOTE:
IP is supported for all three protocols
Encrypted URLs (full path) can only be blocked on first party browsers
Encrypted URLS (FQDN only) can be blocked outside of first party browsers
Full URL path blocks can be applied on the domain level and all unencrypted URLs
NOTE
There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being
blocked.
Create an indicator for IPs, URLs or domains from the settings page
1. In the navigation pane, select Settings > Indicators .
2. Select the IP addresses or URLs/Domains tab.
3. Select Add indicator .
4. Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click Save .
Manage indicators
1. In the navigation pane, select Settings > Indicators .
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click Save or click the Delete button if you'd like to remove the
entity from the list.
Related topic
Create contextual IoC
Use the Microsoft Defender ATP indicators API
Use partner integrated solutions
Manage automation file uploads
10/4/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to
the cloud for additional inspection in Automated investigation.
Identify the files and email attachments by specifying the file extension names and email attachment extension
names.
For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those
extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
Related topics
Manage automation folder exclusions
Manage automation folder exclusions
9/30/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders
Extensions of the files
File names
Folders
You can specify a folder and its subfolders to be skipped.
NOTE
At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
Extensions
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker
from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
File names
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent
an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
Related topics
Manage automation allowed/blocked lists
Manage automation file uploads
Onboard machines to the Microsoft Defender ATP
service
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported
devices. Depending on the device, you'll be guided with appropriate steps and provided management and
deployment tool options suitable for the device.
In general, to onboard devices to the service:
Verify that the device fulfills the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft
Defender ATP portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service
In this section
TO P IC DESC RIP T IO N
Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to
Microsoft Defender ATP.
Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Microsoft Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.
Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Microsoft Defender ATP service.
Configure proxy and Internet settings Enable communication with the Microsoft Defender ATP
cloud service by configuring the proxy and Internet
connectivity settings.
Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.
Applies to:
macOS
Linux
Windows Server 2012 R2
Windows Server 2016
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Offboard Servers
Offboard servers
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Use the Time zone menu to configure the time zone and view license information.
.
UTC time zone
Microsoft Defender ATP uses UTC time by default.
Setting the Microsoft Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others)
in UTC for all users. This can help security analysts working in different locations across the globe to use the same
time stamps while investigating events.
Local time zone
You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed
using your local time zone.
The local time zone is taken from your machine’s regional settings. If you change your regional settings, the
Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in
Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in
different global locations will now see the Microsoft Defender ATP alerts according to their regional settings.
Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier
to correlate events to local time, for example – when a local user clicked on a suspicious email link.
Set the time zone
The Microsoft Defender ATP time zone is set by default to UTC. Setting the time zone also changes the times for all
Microsoft Defender ATP views. To set the time zone:
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
This section guides you through all the steps you need to take to properly implement Conditional Access.
Before you begin
WARNING
It's important to note that Azure AD registered devices is not supported in this scenario.
Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to
enroll devices in Intune:
IT Admin: For more information on how to enabling auto-enrollment, see Windows Enrollment
End-user: For more information on how to enroll your Windows 10 device in Intune, see Enroll your Windows
10 device in Intune
End-user alternative: For more information on joining an Azure AD domain, see How to: Plan your Azure AD
join implementation.
There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
It's important to note the required roles to access these portals and implement Conditional access:
Microsoft Defender Security Center - You'll need to sign into the portal with a global administrator role to
turn on the integration.
Intune - You'll need to sign in to the portal with security administrator rights with management permissions.
Azure AD por tal - You'll need to sign in as a global administrator, security administrator, or Conditional Access
administrator.
NOTE
You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on
Microsoft Cloud App Security integration.
NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10, version
1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with KB4493464), Windows
10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.
See Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security for detailed
integration of Microsoft Defender ATP with Microsoft Cloud App Security.
Related topic
Microsoft Cloud App Security integration
Overview of management and APIs
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with
flexibility and granular control to fit varying customer requirements.
Available APIs
The Microsoft Defender ATP solution is built on top of an integration-ready platform.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
The Investigation API exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities
(for example, machine, user, and file) and discrete events (for example, process creation and file creation) which
typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a
query-based access to data. For more information see, Supported APIs.
The Response API exposes the ability to take actions in the service and on devices, enabling customers to ingest
indicators, manage settings, alert status, as well as take response actions on devices programmatically such as
isolate machines from the network, quarantine files, and others.
SIEM API
When you enable security information and event management (SIEM) integration it allows you to pull detections
from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST
API. This activates the SIEM connector access details section with pre-populated values and an application is
created under you Azure Active Directory (AAD) tenant. For more information see, SIEM integration
Related topics
Access the Microsoft Defender Advanced Threat Protection APIs
Supported APIs
Technical partner opportunities
Microsoft Defender ATP API license and terms of use
11/7/2019 • 2 minutes to read • Edit Online
APIs
Microsoft Defender ATP APIs are governed by Microsoft API License and Terms of use.
Throttling limits
NAME CALLS REN EWA L P ERIO D
Legal Notices
Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this
repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the
documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other
countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
Privacy information can be found at https://privacy.microsoft.com/en-us/ Microsoft and any contributors reserve all
others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel
or otherwise.
Access the Microsoft Defender Advanced Threat
Protection APIs
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
The API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization
Code Flow.
Watch this video for a quick overview of Microsoft Defender ATP's APIs.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Microsoft Defender ATP API
You can access Microsoft Defender ATP API with Application Context or User Context .
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background
services or daemons.
Steps that need to be taken to access Microsoft Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate
Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access Microsoft Defender ATP API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Microsoft Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
4. Use the token to access Microsoft Defender ATP API
For more information, see Get access with user context.
Related topics
Microsoft Defender ATP APIs
Access Microsoft Defender ATP with application context
Access Microsoft Defender ATP with user context
Microsoft Defender ATP API - Hello World
12/18/2019 • 4 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
3. In the registration form, choose a name for your application and then click Register .
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read all aler ts' permission:
On your application page, click API Permissions > Add permission > APIs my organization
uses > type WindowsDefenderATP and click on WindowsDefenderATP .
Note : WindowsDefenderATP does not appear in the original list. You need to start writing its name in
the text box to see it appear.
Choose Application permissions > Aler t.Read.All > Click on Add permissions
Impor tant note : You need to select the relevant permissions. 'Read All Alerts' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
5. Click Grant consent
Note : Every time you add permission you must click on Grant consent for the new permission to take
effect.
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Sanity Check:
Run the script.
In your browser go to: https://jwt.ms/
Copy the token (the content of the Latest-token.txt file).
Paste in the top box.
Look for the "roles" section. Find the Alert.Read.All role.
Lets get the Alerts!
The script below will use Get-Token.ps1 to access the API and will get the past 48 hours Alerts.
Save this script in the same folder you saved the previous script Get-Token.ps1 .
The script creates two files ( json and csv) with the data in the same folder as the scripts.
# Returns Alerts created in the past 48 hours.
$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the
same folder of Get-Token.ps1
# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
# The URL contains the type of query and the time filter we create above
# Read more about other query options and filters at Https://TBD- add the documentation link
$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
Related topic
Microsoft Defender ATP APIs
Access Microsoft Defender ATP with application context
Access Microsoft Defender ATP with user context
Create an app to access Microsoft Defender ATP
without a user
2/28/2020 • 5 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a
user. If you need programmatic access to Microsoft Defender ATP on behalf of a user, see Get access with user
context. If you are not sure which access you need, see Get started.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires
OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an Azure Active Directory (Azure AD) application.
Get an access token using this application.
Use the token to access Microsoft Defender ATP API.
This article explains how to create an Azure AD application, get an access token to Microsoft Defender ATP, and
validate the token.
Create an app
1. Log on to Azure with a user that has the Global Administrator role.
2. Navigate to Azure Active Director y > App registrations > New registration .
3. In the registration form, choose a name for your application, and then select Register .
4. To enable your app to access Microsoft Defender ATP and assign it 'Read all aler ts' permission, on your
application page, select API Permissions > Add permission > APIs my organization uses >, type
WindowsDefenderATP , and then select WindowsDefenderATP .
NOTE
WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it
appear.
Select Application permissions > Aler t.Read.All , and then select Add permissions .
Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance:
To run advanced queries, select the 'Run advanced queries' permission.
To isolate a machine, select the 'Isolate machine' permission.
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
5. Select Grant consent .
NOTE
Every time you add a permission, you must select Grant consent for the new permission to take effect.
6. To add a secret to the application, select Cer tificates & secrets , add a description to the secret, and then
select Add .
NOTE
After you select Add , select copy the generated secret value . You won't be able to retrieve this value after you
leave.
7. Write down your application ID and your tenant ID. On your application page, go to Over view and copy
the following.
8. For Microsoft Defender ATP Par tners only . Set your app to be multi-tenanted (available in all tenants
after consent). This is required for third-party apps (for example, if you create an app that is intended to
run in multiple customers' tenant). This is not required if you create a service that you want to run in your
tenant only (for example, if you create an application for your own usage that will only interact with your
own data). To set your app to be multi-tenanted:
Go to Authentication , and add https://portal.azure.com as the Redirect URI .
On the bottom of the page, under Suppor ted account types , select the Accounts in any
organizational director y application consent for your multi-tenant app.
You need your application to be approved in each tenant where you intend to use it. This is because your
application interacts Microsoft Defender ATP on behalf of your customer.
You (or your customer if you are writing a third-party app) need to select the consent link and approve your
app. The consent should be done with a user who has administrative privileges in Active Directory.
The consent link is formed as follows:
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Use C#:
The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8.
1. Create a new console application.
2. Install Nuget Microsoft.IdentityModel.Clients.ActiveDirectory.
3. Add the following:
using Microsoft.IdentityModel.Clients.ActiveDirectory;
4. Copy and paste the following code in your app (don't forget to update the three variables:
tenantId, appId, appSecret ):
Use Python
See Get token using Python.
Use Curl
NOTE
The following procedure assumes that Curl for Windows is already installed on your computer.
1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
2. Set CLIENT_SECRET to your Azure application secret.
3. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Microsoft Defender
ATP.
4. Run the following command:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni
IsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
Related topics
Supported Microsoft Defender ATP APIs
Access Microsoft Defender ATP on behalf of a user
Use Microsoft Defender ATP APIs
12/26/2019 • 3 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf
of a user.
If you need programmatic access Microsoft Defender ATP without a user, refer to Access Microsoft Defender ATP
with application context.
If you are not sure which access you need, read the Introduction page.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Microsoft Defender ATP API
This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate
the token.
NOTE
When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct Application permission and user
permission. If you are not familiar with user permissions on Microsoft Defender ATP, see Manage portal access using role-
based access control.
TIP
If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
Create an app
1. Log on to Azure with user that has Global Administrator role.
2. Navigate to Azure Active Director y > App registrations > New registration .
3. In the registration from, enter the following information then click Register .
Choose Delegated permissions > Aler t.Read > Click on Add permissions
Impor tant note : You need to select the relevant permissions. 'Read alerts' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you
are interested to call.
Click Grant consent
Note : Every time you add permission you must click on Grant consent for the new permission to
take effect.
return jObject["access_token"].Value<string>();
}
}
}
}
}
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on
behalf of your customers.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires
OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create a multi-tenant AAD application.
Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP
resources it needs.
Get an access token using this application.
Use the token to access Microsoft Defender ATP API.
The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender
ATP and validate the token.
4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions
required to complete the integration.
On your application page, click API Permissions > Add permission > APIs my organization
uses > type WindowsDefenderATP and click on WindowsDefenderATP .
Note : WindowsDefenderATP does not appear in the original list. You need to start writing its name in
the text box to see it appear.
Request API permissions
To determine which permission you need, please look at the Permissions section in the API you are
interested to call. For instance:
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
In the following example we will use 'Read all aler ts' permission:
Choose Application permissions > Aler t.Read.All > Click on Add permissions
5. Click Grant consent
Note : Every time you add permission you must click on Grant consent for the new permission to take
effect.
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
Using C#:
The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
using Microsoft.IdentityModel.Clients.ActiveDirectory;
Copy/Paste the below code in your application (do not forget to update the 3 variables:
tenantId, appId, appSecret )
Using Python
Refer to Get token using Python
Using Curl
NOTE
The below procedure supposed Curl for Windows is already installed on your computer
Open a command window
Set CLIENT_ID to your Azure application ID
Set CLIENT_SECRET to your Azure application secret
Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft
Defender ATP application
Run the below command:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiI
sIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
Related topics
Supported Microsoft Defender ATP APIs
Access Microsoft Defender ATP on behalf of a user
Supported Microsoft Defender ATP APIs
1/28/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Versioning:
The API supports versioning.
The current version is V1.0 .
To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example:
https://api.securitycenter.windows.com/api/v1.0/alerts
If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the
latest version.
Learn more about the individual supported entities where you can run API calls to and details such as HTTP
request values, request headers and expected responses.
In this section
TO P IC DESC RIP T IO N
Alerts Run API calls such as get alerts, create alert, update alert
and more.
Domains Run API calls such as get domain related machines, domain
statistics and more.
Files Run API calls such as get file information, file related alerts,
file related machines, and file statistics.
IPs Run API calls such as get IP related alerts and get IP
statistics.
Machines Run API calls such as get machines, get machines by ID,
information about logged on users, edit tags and more.
TO P IC DESC RIP T IO N
Machine Actions Run API call such as Isolation, Run anti-virus scan and more.
Indicators Run API call such as create Indicator, get Indicators and
delete Indicators.
Users Run API calls such as get user related alerts and user related
machines.
Score Run API calls such as get exposure score or get device secure
score.
Related topic
Microsoft Defender ATP APIs
Common REST API error codes
2/7/2020 • 2 minutes to read • Edit Online
The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP
APIs.
Note that in addition to the error code, every error response contains an error message which can help
resolving the problem.
Note that the message is a free text that can be changed.
At the bottom of the page you can find response examples.
InternalServerError Internal Server Error (500) (No error message, try retry the
operation or contact us if it does not
resolved)
Correlation request ID
Each error response contains a unique ID parameter for tracking.
The property name of this parameter is "target".
When contacting us about an error, attaching this ID will help find the root cause of the problem.
Examples
{
"error": {
"code": "ResourceNotFound",
"message": "Machine 123123123 was not found",
"target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
}
}
{
"error": {
"code": "InvalidRequestBody",
"message": "Request body is incorrect",
"target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
}
}
Advanced hunting API
2/11/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Limitations
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every
hour and 4 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have 'View Data' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Request headers
H EA DER VA L UE
Content-Type application/json
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 200 OK, and QueryResponse object in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'appdata'
| project Timestamp, FileName, InitiatingProcessFileName, DeviceId
| limit 2"
}
Response
Here is an example of the response.
NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
{
"Schema": [
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
},
{
"Name": "DeviceId",
"Type": "String"
}
],
"Results": [
{
"Timestamp": "2020-02-05T01:10:26.2648757Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
},
{
"Timestamp": "2020-02-05T01:10:26.5614772Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
}
]
}
Related topic
Microsoft Defender ATP APIs introduction
Advanced Hunting from Portal
Advanced Hunting using PowerShell
Alert resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
List related domains Domain collection List URLs associated with the alert.
List related files File collection List the file entities that are associated
with the alert.
List related IPs IP collection List IPs that are associated with the
alert.
Get related users User The user that is associated with the
alert.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
alertCreationTime Nullable DateTimeOffset The date and time (in UTC) the alert
was created.
resolvedTime Nullable DateTimeOffset The date and time in which the status
of the alert was changed to 'Resolved'.
GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499
{
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious
activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
]
}
List alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Alerts.
Supports OData V4 queries.
The OData's $filter query is supported on: alertCreationTime , incidentId , InvestigationId , status , severity
and category properties.
See examples at OData queries with Microsoft Defender ATP
Limitations
1. You can get alerts last updated in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The response will include only alerts that are associated with machines that the user can access, based on machine group
settings (See Create and manage machine groups for more information)
HTTP request
GET /api/alerts
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, and a list of alert objects in the response body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/alerts
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Response
Here is an example of the response.
NOTE
The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"investigationState": "Running",
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
]
}
...
]
}
Related topics
OData queries with Microsoft Defender ATP
Create alert API
2/11/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Creates new Alert on top of Event .
Microsoft Defender ATP Event is required for the alert creation.
You will need to supply 3 parameters from the Event in the request: Event Time , Machine ID and Repor t ID . See
example below.
You can use an event found in Advanced Hunting API or Portal.
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with
it.
An automatic investigation starts automatically on alerts created via the API.
Limitations
1. Rate limitations for this API are 15 calls per minute.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply the following values (all are required):
Response
If successful, this method returns 200 OK, and a new alert object in the response body. If event with the specified
properties (reportId, eventTime and machineId) was not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "example",
"description": "example alert",
"recommendedAction": "nothing",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "Exploit"
}
Update alert
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Updates properties of existing Alert.
Submission of comment is available with or without updating properties.
Updatable properties are: status , determination , classification and assignedTo .
Limitations
1. You can update alerts that available in the API. See List Alerts for more information.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
PATCH /api/alerts/{id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply the values for the relevant fields that should be updated.
Existing properties that are not included in the request body will maintain their previous values or be recalculated
based on changes to other property values.
For best performance you shouldn't include existing values that haven't change.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Response
If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. If
alert with the specified id was not found - 404 Not Found.
Example
Request
Here is an example of the request.
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"status": "Resolved",
"assignedTo": "secop2@contoso.com",
"classification": "FalsePositive",
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
Get alert information by ID API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves specific Alert by its ID.
Limitations
1. You can get alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, and the alert entity in the response body. If alert with the specified id was
not found - 404 Not Found.
Get alert related domain information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves all domains related to a specific alert.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/domains
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
"value": [
{
"host": "www.example.com"
},
{
"host": "www.example2.com"
}
...
]
}
Get alert related files information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves all files related to a specific alert.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/files
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
"value": [
{
"sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",
"sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",
"md5": "8d5b7cc9a832e21d22503057e1fec8e9",
"globalPrevalence": 29,
"globalFirstObserved": "2019-03-23T23:54:06.0135204Z",
"globalLastObserved": "2019-04-23T00:43:20.0489831Z",
"size": 113984,
"fileType": null,
"isPeFile": true,
"filePublisher": "Microsoft Corporation",
"fileProductName": "Microsoft� Windows� Operating System",
"signer": "Microsoft Corporation",
"issuer": "Microsoft Code Signing PCA",
"signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
"isValidCertificate": true,
"determinationType": "Unknown",
"determinationValue": null
}
...
]
}
Get alert related IPs information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves all IPs related to a specific alert.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/ips
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
...
]
}
Get alert related machine information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves Machine related to a specific alert.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/machine
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
Get alert related user information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves the User related to a specific alert.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/alerts/{id}/user
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"accountName": "user1",
"accountDomain": "contoso",
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-08T06:33:39Z",
"lastSeen": "2020-01-05T06:58:34Z",
"mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"logonTypes": "Network",
"logOnMachinesCount": 1,
"isDomainAdmin": false,
"isOnlyNetworkUser": false
}
Machine resource type
3/25/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
List machines machine collection List set of machine entities in the org.
Get logged on users user collection Get the set of User that logged on to
the machine.
Get related alerts alert collection Get the set of alert entities that were
raised on the machine.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Machines that have communicated with Microsoft Defender ATP cloud on the last 30 days.
Supports OData V4 queries.
The OData's $filter query is supported on: computerDnsName , lastSeen , lastIpAddress , healthStatus ,
osPlatform , riskScore , rbacGroupId and machineTags properties.
See examples at OData queries with Microsoft Defender ATP
Limitations
1. You can get machines last seen in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
P ERM ISSIO N T Y P E P ERM ISSIO N P ERM ISSIO N DISP L AY N A M E
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET https://api.securitycenter.windows.com/api/machines
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and machines exists - 200 OK with list of machine entities in the body. If no recent machines - 404 Not
Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/machines
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
...
]
}
Related topics
OData queries with Microsoft Defender ATP
Get machine by ID API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves specific Machine by its machine ID or computer name.
Limitations
1. You can get machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
GET /api/machines/{id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and machine exists - 200 OK with the machine entity in the body. If machine with the specified id was
not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
Get machine log on users API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of logged on users on a specific machine.
Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include users only if the machine is visible to the user, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/machines/{id}/logonusers
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and machine exist - 200 OK with list of user entities in the body. If machine was not found - 404 Not
Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
"value": [
{
"id": "contoso\\user1",
"accountName": "user1",
"accountDomain": "contoso",
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-18T08:02:54Z",
"lastSeen": "2020-01-06T08:01:48Z",
"mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
"leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
"logonTypes": "Interactive",
"logOnMachinesCount": 8,
"isDomainAdmin": true,
"isOnlyNetworkUser": false
},
...
]
}
Get machine related alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves all Alerts related to a specific machine.
Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)
HTTP request
GET /api/machines/{id}/alerts
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and machine exists - 200 OK with list of alert entities in the body. If machine was not found - 404 Not
Found.
Get installed software
1/29/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
HTTP request
GET /api/machines/{machineId}/software
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the installed software information in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-internet_explorer",
"name": "internet_explorer",
"vendor": "microsoft",
"weaknesses": 67,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 42115,
"impactScore": 46.2037163
}
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
Get discovered vulnerabilities
1/29/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
HTTP request
GET /api/machines/{machineId}/vulnerabilities
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the discovered vulnerability information in the body.
Example
Request
Here is an example of the request.
GET
https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
Response
Here is an example of the response.
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabil
ityDto)",
"value": [
{
"id": "CVE-2019-1348",
"name": "CVE-2019-1348",
"description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw
in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an
attacker could exploit this vulnerability to overwrite arbitrary paths.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 1,
"publishedOn": "2019-12-13T00:00:00Z",
"updatedOn": "2019-12-13T00:00:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
}
Related topics
Risk-based Threat & Vulnerability Management
Vulnerabilities in your organization
Get security recommendations
1/29/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
HTTP request
GET /api/machines/{machineId}/recommendations
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the security recommendations in the body.
Example
Request
Here is an example of the request.
GET
https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-git-scm-_-git",
"productName": "git",
"recommendationName": "Update Git to version 2.24.1.2",
"weaknesses": 3,
"vendor": "git-scm",
"recommendedVersion": "2.24.1.2",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": false,
"activeAlert": false,
"associatedThreats": [],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 0,
"totalMachineCount": 0,
"exposedMachinesCount": 1,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Git"
},
…
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
Add or Remove Machine Tags API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Adds or remove tag to a specific Machine.
Limitations
1. You can post on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Manage security setting' (See Create and manage roles for
more information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
Example
Request
Here is an example of a request that adds machine tag.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "test Tag 2",
"Action": "Add"
}
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
Find machines by internal IP API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Find Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given
timestamp.
Limitations
1. The given timestamp must be in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
Response will include only machines that the user have access to based on machine group settings (See Create and
manage machine groups for more information)
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user have access to based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and machines were found - 200 OK with list of the machines in the response body. If no machine
found - 404 Not Found. If the timestamp is not in the past 30 days - 400 Bad Request.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-
22T08:44:05Z)
Get missing KBs by machine ID
3/25/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Retrieves missing KBs by machine Id
HTTP request
GET /api/machines/{machineId}/getmissingkbs
Request header
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
Response
Here is an example of the response.
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProdu
ctFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"windows_10",
"edge",
"internet_explorer"
],
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 1,
"cveAddressed": 97
},
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
MachineAction resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
See Response Actions for more information
Get investigation package SAS URI Machine Action Get URI for downloading the
investigation package.
Release machine from isolation Machine Action Release machine from Isolation.
Stop and quarantine file Machine Action Stop execution of a file on a machine
and delete it.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
lastUpdateTimeUtc DateTimeOffset The last date and time when the action
status was updated.
Json representation
{
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com",
"requestorComment": "test for docs",
"status": "Succeeded",
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
"creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
List MachineActions API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Machine Actions.
Supports OData V4 queries.
The OData's $filter query is supported on: status , machineId , type , requestor and creationDateTimeUtc
properties.
See examples at OData queries with Microsoft Defender ATP
Limitations
1. Maximum page size is 10,000.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of machineAction entities.
Example 1
Request
Here is an example of the request on an organization that has three MachineActions.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/machineactions
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
"relatedFileInfo": {
"fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
"fileIdentifierType": "Sha1"
}
}
]
}
Example 2
Request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two
MachineActions.
GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq
'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
Response
Here is an example of the response.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
}
]
}
Related topics
OData queries with Microsoft Defender ATP
Get machineAction API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves specific Machine Action by its ID.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{id}
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful, this method returns 200, Ok response code with a Machine Action entity. If machine action entity with
the specified id was not found - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com",
"requestorComment": "test for docs",
"status": "Succeeded",
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
"creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}
Collect investigation package API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Collect investigation package from a machine.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST
https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackag
e
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
Get package SAS URI API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Get a URI that allows downloading of an Investigation package.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the
“value” parameter. This link is valid for a very short time and should be used immediately for downloading the
package to a local storage.
Example
Request
Here is an example of the request.
GET
https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUr
i
Response
Here is an example of the response.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-
us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?
token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeB
sxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoA
vmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9
Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNR
SnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6
Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3b
QOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXU
RYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh
4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPP
AJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0
zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4
fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY
0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4Jes
TjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYO
dT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
Isolate machine API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Isolates a machine from accessing external network.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/isolate
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
IsolationType controls the type of isolation to perform and can be one of the following:
Full – Full isolation
Selective – Restrict only limited set of applications from accessing the network (see Isolate machines from the
network for more details)
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Undo isolation of a machine.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Restrict execution of all applications on the machine except a predefined set.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecut
ion
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}
To remove code execution restriction from a machine, see Remove app restriction.
Remove app restriction API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Enable execution of any application on the machine.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExe
cution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Initiate Windows Defender Antivirus scan on a machine.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
ScanType controls the type of scan to perform and can be one of the following:
Quick – Perform quick scan on the machine
Full – Perform full scan on the machine
Response
If successful, this method returns 201, Created response code and MachineAction object in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
Offboard machine API
3/16/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Offboard machine from Microsoft Defender ATP.
Limitations
Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
NOTE
This does not support offboarding macOS Devices.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to 'Global Admin' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
Content-type: application/json
{
"Comment": "Offboard machine by automation"
}
Stop and quarantine file API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Stop execution of a file on a machine and delete it.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineF
ile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
Investigation resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Represent an Automated Investigation entity in Microsoft Defender ATP.
See Overview of automated investigations for more information.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
Properties
P RO P ERT Y TYPE DESC RIP T IO N
Json representation
{
"id": "63004",
"startTime": "2020-01-06T13:05:15Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "e828a0624ed33f919db541065190d2f75e50a071",
"computerDnsName": "desktop-test123",
"triggeringAlertId": "da637139127150012465_1011995739"
}
List Investigations API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Investigations.
Supports OData V4 queries.
The OData's $filter query is supported on: startTime , state , machineId and triggeringAlertId properties.
See examples at OData queries with Microsoft Defender ATP
Limitations
1. Maximum page size is 10,000.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/investigations
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of Investigations entities.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Example
Request
Here is an example of a request to get all investigations:
GET https://api.securitycenter.windows.com/api/investigations
Response
Here is an example of the response:
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations",
"value": [
{
"id": "63017",
"startTime": "2020-01-06T14:11:34Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
"computerDnsName": "desktop-gtrcon0",
"triggeringAlertId": "da637139166940871892_-598649278"
}
...
]
}
Get Investigation API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves specific Investigation by its ID.
ID can be the investigation ID or the investigation triggering alert ID.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET https://api.securitycenter.windows.com/api/investigations/{id}
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful, this method returns 200, Ok response code with a Investigations entity.
Start Investigation API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Start automated investigation on a machine.
See Overview of automated investigations for more information.
Limitations
1. Rate limitations for this API are 50 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)
HTTP request
POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful, this method returns 201 - Created response code and Investigation in the response body.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
POST
https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigati
on
Content-type: application/json
{
"Comment": "Test investigation",
}
Indicator resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
See the corresponding Indicators page in the portal.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
Json representation
{
"id": "994",
"indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
"indicatorType": "FileSha256",
"action": "AlertAndBlock",
"application": null,
"source": "user@contoso.onmicrosoft.com",
"sourceType": "User",
"createdBy": "user@contoso.onmicrosoft.com",
"severity": "Informational",
"title": "Michael test",
"description": "test",
"recommendedActions": "nothing",
"creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
"expirationTime": null,
"lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
"lastUpdatedBy": null,
"rbacGroupNames": ["team1"]
}
Submit or Update Indicator API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Submits or Updates new Indicator entity.
CIDR notation for IPs is supported.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
2. There is a limit of 5,000 active indicators per tenant.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
POST https://api.securitycenter.windows.com/api/indicators
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Request headers
NAME TYPE DESC RIP T IO N
Request body
In the request body, supply a JSON object with the following parameters:
Response
If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the
response body.
If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/indicators
Content-type: application/json
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"application": "demo-test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "nothing"
}
## Related topic
- [Manage indicators](manage-indicators.md)
List Indicators API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of all active Indicators.
Supports OData V4 queries.
The OData's $filter query is supported on: indicatorValue , indicatorType , creationTimeDateTimeUtc , createdBy
, action and severity properties.
See examples at OData queries with Microsoft Defender ATP
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
GET https://api.securitycenter.windows.com/api/indicators
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of Indicator entities.
NOTE
If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the
Indicators it created.
Example 1:
Request
Here is an example of a request that gets all Indicators
GET https://api.securitycenter.windows.com/api/indicators
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"id": "995",
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"action": "Alert",
"application": "demo-test",
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"id": "996",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Example 2:
Request
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock'
Response
Here is an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"id": "997",
"indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Delete Indicator API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Deletes an Indicator entity by ID.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started
HTTP request
Delete https://api.securitycenter.windows.com/api/indicators/{id}
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If Indicator exist and deleted successfully - 204 OK without content. If Indicator with the specified id was not found -
404 Not Found.
Example
Request
Here is an example of the request.
DELETE https://api.securitycenter.windows.com/api/indicators/995
Get domain related alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Alerts related to a given domain address.
Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/domains/{domain}/alerts
Request headers
H EA DER VA L UE
Authorization String
Request body
Empty
Response
If successful and domain exists - 200 OK with list of alert entities. If domain does not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
Get domain related machines API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Machines that have communicated to or from a given domain address.
Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/domains/{domain}/machines
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and domain exists - 200 OK with list of machine entities. If domain do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
Get domain statistics API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves the statistics on the given domain.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/domains/{domain}/stats
Request headers
H EA DER VA L UE
Request body
Empty
Response
If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404
Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/domains/example.com/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
File resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Represent a file entity in Microsoft Defender ATP.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
List file related alerts alert collection Get the alert entities that are associated
with the file.
List file related machines machine collection Get the machine entities associated
with the alert.
file statistics Statistics summary Retrieves the prevalence for the given
file.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
Json representation
{
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"globalPrevalence": 180022,
"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
Get file information API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a File by identifier Sha1, or Sha256
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/files/{id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and file exists - 200 OK with the file entity in the body. If file does not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"globalPrevalence": 180022,
"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
Get file related alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of alerts related to a given file hash.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/files/{id}/alerts
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful and file exists - 200 OK with list of alert entities in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
Get file related machines API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of Machines related to a given file hash.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)
HTTP request
GET /api/files/{id}/machines
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful and file exists - 200 OK with list of machine entities in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
Get file statistics API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves the statistics for the given file.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/files/{id}/stats
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
"orgPrevalence": "14850",
"orgFirstSeen": "2019-12-07T13:44:16Z",
"orgLastSeen": "2020-01-06T13:39:36Z",
"globalPrevalence": "705012",
"globalFirstObserved": "2015-03-19T12:20:07.3432441Z",
"globalLastObserved": "2020-01-06T13:39:36Z",
"topFileNames": [
"MREC.exe"
]
}
Get IP related alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of alerts related to a given IP address.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/ips/{ip}/alerts
Request headers
NAME TYPE DESC RIP T IO N
Response
If successful and IP exists - 200 OK with list of alert entities in the body. If IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
Get IP statistics API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves the statistics for the given IP.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
HTTP request
GET /api/ips/{ip}/stats
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
User resource type
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
List User related alerts alert collection List all the alerts that are associated
with a user.
List User related machines machine collection List all the machines that were logged
on by a user.
Get user related alerts API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of alerts related to a given user ID.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)
HTTP request
GET /api/users/{id}/alerts
Note that the id is not the full UPN, but only the user name. (e.g., to retrieve aler ts for
user1@contoso.com use /api/users/user1/aler ts)
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/users/user1/alerts
Get user related machines API
1/13/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Retrieves a collection of machines related to a given user ID.
Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'
NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)
HTTP request
GET /api/users/{id}/machines
Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for
user1@contoso.com use /api/users/user1/machines)
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful and user exists - 200 OK with list of machine entities in the body. If user does not exist - 404 Not
Found.
Example
Request
Here is an example of the request.
NOTE
For better performance, you can use server closer to your geo location:
api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
GET https://api.securitycenter.windows.com/api/users/user1/machines
Score resource type
2/7/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
Get device secure score Score Get the organizational device secure
score.
List exposure score by machine group Score List scores by machine group.
Properties
P RO P ERT Y TYPE DESC RIP T IO N
Time DateTime The date and time in which the call for
this API was made.
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
HTTP request
GET /api/exposureScore/ByMachineGroups
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response
body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
"value": [
{
"time": "2019-12-03T09:51:28.214338Z",
"score": 41.38041766305988,
"rbacGroupName": "GroupOne"
},
{
"time": "2019-12-03T09:51:28.2143399Z",
"score": 37.403726933165366,
"rbacGroupName": "GroupTwo"
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability exposure score
Get exposure score
2/7/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs
HTTP request
GET /api/exposureScore
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with the exposure data in the response body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/exposureScore
Response
Here is an example of the response.
NOTE
The response list shown here may be truncated for brevity.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
"time": "2019-12-03T07:23:53.280499Z",
"score": 33.491554051195706
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability exposure score
Get Machine Secure score
2/7/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/configurationScore
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with the with device secure score data in the response body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/configurationScore
Response
Here is an example of the response.
NOTE
The response list shown here may be truncated for brevity.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
"time": "2019-12-03T09:15:58.1665846Z",
"score": 340
}
Related topics
OData queries with Microsoft Defender ATP
Software resource type
3/25/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
List software version distribution Distribution collection List software version distribution by
software ID.
List machines by software MachineRef collection Retrieve a list of machines that are
associated with the software ID.
Get missing KBs KB collection Get a list of missing KBs associated with
the software ID
Properties
P RO P ERT Y TYPE DESC RIP T IO N
id String Software ID
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Retrieves the organization software inventory.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the software inventory in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
"value": [
{
"id": "microsoft-_-edge",
"name": "edge",
"vendor": "microsoft",
"weaknesses": 467,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 172,
"impactScore": 2.39947438
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
Get software by Id
1/29/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software/{Id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the specified software data in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
"name": "edge",
"vendor": "microsoft",
"weaknesses": 467,
"publicExploit": true,
"activeAlert": false,
"exposedMachines": 172,
"impactScore": 2.39947438
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
List software version distribution
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software/{Id}/distributions
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with a list of software distributions data in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
"value": [
{
"version": "11.0.17134.1039",
"installations": 1,
"vulnerabilities": 11
},
{
"version": "11.0.18363.535",
"installations": 750,
"vulnerabilities": 0
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
List machines by software
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software/{Id}/machineReferences
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK and a list of machines with the software installed in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
"computerDnsName": "dave_desktop",
"osPlatform": "Windows10",
"rbacGroupName": "GroupTwo"
},
{
"id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
"computerDnsName": "jane_PC",
"osPlatform": "Windows10",
"rbacGroupName": "GroupTwo"
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
List vulnerabilities by software
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software/{Id}/vulnerabilities
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
Response
Here is an example of the response.
{
"@odata.context": "https://api-
us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
{
"id": "CVE-2017-0140",
"name": "CVE-2017-0140",
"description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles
requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP)
restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited
the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack
scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability
through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of
compromised websites, and websites that accept or host user-provided content or advertisements. These websites
could contain specially crafted content that could exploit the vulnerability.The security update addresses the
vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
"severity": "Medium",
"cvssV3": 4.2,
"exposedMachines": 1,
"publishedOn": "2017-03-14T00:00:00Z",
"updatedOn": "2019-10-03T00:03:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
...
]
}
Get missing KBs by software ID
3/25/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Retrieves missing KBs by software ID
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/Software/{Id}/getmissingkbs
Request header
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with the specified software missing kb data in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
Response
Here is an example of the response.
{
"@odata.context":
"https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProdu
ctFixDto)",
"value": [
{
"id": "4540673",
"name": "March 2020 Security Updates",
"productsNames": [
"edge"
],
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
"machineMissedOn": 240,
"cveAddressed": 14
},
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability software inventory
Vulnerability resource type
1/28/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
Get all vulnerabilities Vulnerability collection Retrieves a list of all the vulnerabilities
affecting the organization
List machines by vulnerability MachineRef collection Retrieve a list of machines that are
associated with the vulnerability ID
Properties
P RO P ERT Y TYPE DESC RIP T IO N
id String Vulnerability ID
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/vulnerabilities
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the list of vulnerabilities in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Vulnerabilities
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
"value": [
{
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse
HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by
crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an
attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially
crafted URL. In an email attack scenario, an attacker could send an email message containing the specially
crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an
attacker could host a specially crafted website designed to appear as a legitimate website to the user.
However, the attacker would have no way to force the user to visit the specially crafted website. The attacker
would have to convince the user to visit the specially crafted website, typically by way of enticement in an
email or instant message, and then convince the user to interact with content on the website.The update
addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 4,
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
...
]
Related topics
Risk-based Threat & Vulnerability Management
Vulnerabilities in your organization
Get vulnerability by ID
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/vulnerabilities/{cveId}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the vulnerability information in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
Response
Here is an example of the response.
{
"@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
"id": "CVE-2019-0608",
"name": "CVE-2019-0608",
"description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP
content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting
HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack
with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially
crafted URL. In an email attack scenario, an attacker could send an email message containing the specially
crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an
attacker could host a specially crafted website designed to appear as a legitimate website to the user.
However, the attacker would have no way to force the user to visit the specially crafted website. The attacker
would have to convince the user to visit the specially crafted website, typically by way of enticement in an
email or instant message, and then convince the user to interact with content on the website.The update
addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
"severity": "Medium",
"cvssV3": 4.3,
"exposedMachines": 4,
"publishedOn": "2019-10-08T00:00:00Z",
"updatedOn": "2019-12-16T16:20:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
Related topics
Risk-based Threat & Vulnerability Management
Vulnerabilities in your organization
List machines by vulnerability
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/vulnerabilities/{cveId}/machineReferences
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the vulnerability information in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "235a2e6278c63fcf85bab9c370396972c58843de",
"computerDnsName": "h1mkn_PC",
"osPlatform": "Windows10",
"rbacGroupName": "GroupTwo"
},
{
"id": "afb3f807d1a185ac66668f493af028385bfca184",
"computerDnsName": "chat_Desk ",
"osPlatform": "Windows10",
"rbacGroupName": "GroupTwo"
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Vulnerabilities in your organization
Recommendation resource type
1/28/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Methods
M ET H O D RET URN T Y P E DESC RIP T IO N
Properties
P RO P ERT Y TYPE DESC RIP T IO N
id String Recommendation ID
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/recommendations
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the list of security recommendations in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/recommendations
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
"value": [
{
"id": "va-_-microsoft-_-windows_10",
"productName": "windows_10",
"recommendationName": "Update Windows 10",
"weaknesses": 397,
"vendor": "microsoft",
"recommendedVersion": "",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": true,
"activeAlert": false,
"associatedThreats": [
"3098b8ef-23b1-46b3-aed4-499e1928f9ed",
"40c189d5-0330-4654-a816-e48c2b7f9c4b",
"4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
"e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
"94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 7.674418604651163,
"totalMachineCount": 37,
"exposedMachinesCount": 7,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Windows 10"
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
Get recommendation by ID
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/recommendations/{id}
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the security recommendations in the body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
"id": "va-_-google-_-chrome",
"productName": "chrome",
"recommendationName": "Update Chrome",
"weaknesses": 38,
"vendor": "google",
"recommendedVersion": "",
"recommendationCategory": "Application",
"subCategory": "",
"severityScore": 0,
"publicExploit": false,
"activeAlert": false,
"associatedThreats": [],
"remediationType": "Update",
"status": "Active",
"configScoreImpact": 0,
"exposureImpact": 3.9441860465116285,
"totalMachineCount": 6,
"exposedMachinesCount": 5,
"nonProductivityImpactedAssets": 0,
"relatedComponent": "Chrome"
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
Get recommendation by software
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/recommendations/{id}/software
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the software associated with the security recommendations in the
body.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
Response
Here is an example of the response.
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
"id": "google-_-chrome",
"name": "chrome",
"vendor": "google",
"weaknesses": 38,
"publicExploit": false,
"activeAlert": false,
"exposedMachines": 5,
"impactScore": 3.94418621
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
List machines by recommendation
2/11/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/recommendations/{id}/machineReferences
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [
{
"id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
"computerDnsName": "niw_pc",
"osPlatform": "Windows10",
"rbacGroupName": "GroupTwo"
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
List vulnerabilities by recommendation
2/7/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs for details.
HTTP request
GET /api/recommendations/{id}/vulnerabilities
Request headers
NAME TYPE DESC RIP T IO N
Request body
Empty
Response
If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security
recommendation.
Example
Request
Here is an example of the request.
GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
Response
Here is an example of the response.
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabil
ityDto)",
"value": [
{
"id": "CVE-2019-13748",
"name": "CVE-2019-13748",
"description": "Insufficient policy enforcement in developer tools in Google Chrome prior to
79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a
crafted HTML page.",
"severity": "Medium",
"cvssV3": 6.5,
"exposedMachines": 0,
"publishedOn": "2019-12-10T00:00:00Z",
"updatedOn": "2019-12-16T12:15:00Z",
"publicExploit": false,
"exploitVerified": false,
"exploitInKit": false,
"exploitTypes": [],
"exploitUris": []
}
...
]
}
Related topics
Risk-based Threat & Vulnerability Management
Threat & Vulnerability security recommendation
Microsoft Power Automate (formerly Microsoft Flow),
and Azure Functions
1/8/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack
of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow
supports different connectors that were built exactly for that. You can build an end-to-end procedure automation
within few minutes.
Microsoft Defender API has an official Flow Connector with a lot of capabilities:
Usage example
The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs
on your tenant.
Login to Microsoft Flow
Go to: My flows > New > Automated
Choose a name for your Flow, Search for Microsoft Defender ATP Triggers as the trigger and choose the
new Alerts trigger.
Now you have a Flow that is triggered every time a new Alert occurs.
All you need to do now, is to choose your next steps. Lets, for example, Isolate the machine if the Severity of the
Alert is High and mail about it. The Alert trigger gives us only the Alert ID and the Machine ID. We can use the
Connector to expand these entities.
Get the Alert entity using the connector
Choose Microsoft Defender ATP for new step.
Choose Alerts - Get single alert API.
Set the Alert Id from the last step as Input.
Isolate the machine if the Alert's severity is High
Add Condition as a new step .
Check if Alert severity equals to High .
If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.
Now you can add a new step for mailing about the Alert and the Isolation. There are multiple Email connectors that
are very easy to use, e.g. Outlook, GMail, etc.. Save your flow and that's all.
You can also create scheduled flow that will run Advanced Hunting queries and much more!
Related topic
Microsoft Defender ATP APIs
Create custom reports using Power BI
1/7/2020 • 2 minutes to read • Edit Online
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example
demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Click Done
Click Edit Credentials
Now the results of your query will appear as table and you can start build visualizations on top of it!
You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you
would like.
let
Query = "MachineActions",
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Run advanced queries using Python, see Advanced Hunting API.
In this section we share Python samples to retrieve a token and use it to run a query.
Get token
Run the following:
import json
import urllib.request
import urllib.parse
resourceAppIdUri = 'https://api.securitycenter.windows.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
where
tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of
this tenant)
appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
appSecret: Secret of your AAD app
Run query
Run the following query:
query = 'RegistryEvents | limit 10' # Paste your own query here
url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
To output the results of the query in CSV format in file file1.csv do the below:
import csv
outputFile.close()
To output the results of the query in JSON format in file file1.json do the below:
outputFile = open("D:\\Temp\\file1.json", 'w')
json.dump(results, outputFile)
outputFile.close()
Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Advanced Hunting using PowerShell
Advanced Hunting using PowerShell
12/26/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Run advanced queries using PowerShell, see Advanced Hunting API.
In this section we share PowerShell samples to retrieve a token and use it to run a query.
Preparation instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:
Get token
Run the following:
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$body = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token
where
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data
of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
$appSecret: Secret of your AAD app
Run query
Run the following query:
$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema
To output the results of the query in JSON format in file file1.json do the below:
Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Advanced Hunting using Python
OData queries with Microsoft Defender ATP
1/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If you are not familiar with OData queries, see: OData V4 queries
Not all properties are filterable.
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
...
]
}
Example 2
Get all the alerts that created after 2018-10-20 00:00:00
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
]
},
...
]
}
Example 3
Get all the machines with 'High' 'RiskScore'
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
...
]
}
Example 4
Get top 100 machines with 'HealthStatus' not equals to 'Active'
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "ImpairedCommunication",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
...
]
}
Example 5
Get all the machines that last seen after 2018-10-20
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "ImpairedCommunication",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
...
]
}
Example 6
Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft
Defender ATP
Response:
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
},
...
]
}
Example 7
Get the count of open alerts for a specific machine:
HTTP GET
https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?
$filter=status ne 'Resolved'
Response:
HTTP/1.1 200 OK
Content-type: application/json
Related topic
Microsoft Defender ATP APIs
Raw Data Streaming API
3/18/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
In this section
TO P IC DESC RIP T IO N
Stream Microsoft Defender ATP events to Azure Event Hubs Learn about enabling the streaming API in your tenant and
configure Microsoft Defender ATP to stream Advanced
Hunting to Event Hubs.
Stream Microsoft Defender ATP events to your Azure storage Learn about enabling the streaming API in your tenant and
account configure Microsoft Defender ATP to stream Advanced
Hunting to your Azure storage account.
Related topics
Overview of Advanced Hunting
Azure Event Hubs documentation
Azure Storage Account documentation
Configure Microsoft Defender ATP to stream
Advanced Hunting events to your Azure Event Hubs
2/24/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Each event hub message in Azure Event Hubs contains list of records.
Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs
(you will only get events from your tenant), and the event in JSON format in a property called "proper ties ".
For more information about the schema of Microsoft Defender ATP events, see Advanced Hunting overview.
In Advanced Hunting, the DeviceInfo table has a column named MachineGroup which contains the group of
the machine. Here every event will be decorated with this column as well. See Machine Groups for more
information.
{EventType}
| getschema
| project ColumnName, ColumnType
Related topics
Overview of Advanced Hunting
Microsoft Defender ATP streaming API
Stream Microsoft Defender ATP events to your Azure storage account
Azure Event Hubs documentation
Configure Microsoft Defender ATP to stream
Advanced Hunting events to your Storage account
2/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Want to experience Microsoft Defender ATP? Sign up for a free trial.
{EventType}
| getschema
| project ColumnName, ColumnType
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual
information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your
knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when
to call an observed behavior as suspicious.
With Microsoft Defender ATP, you can create custom threat alerts that can help you keep track of possible attack
activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack
chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of
compromise (IOCs) and the relationship between them.
Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible
cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by
an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical
in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's
objective is reached.
In this section
TO P IC DESC RIP T IO N
Pull detections to your SIEM tools Learn about different ways to pull detections.
Enable SIEM integration in Microsoft Defender ATP Learn about enabling the SIEM integration feature in the
Settings page in the portal so that you can use and generate
the required information to configure supported SIEM tools.
Configure Splunk to pull Microsoft Defender ATP detections Learn about installing the REST API Modular Input App and
other configuration settings to enable Splunk to pull Microsoft
Defender ATP detections.
Configure HP ArcSight to pull Microsoft Defender ATP Learn about installing the HP ArcSight REST FlexConnector
detections package and the files you need to configure ArcSight to pull
Microsoft Defender ATP detections.
Microsoft Defender ATP Detection fields Understand what data fields are exposed as part of the alerts
API and how they map to Microsoft Defender Security Center.
Pull Microsoft Defender ATP detections using REST API Use the Client credentials OAuth 2.0 flow to pull detections
from Microsoft Defender ATP using REST API.
Troubleshoot SIEM tool integration issues Address issues you might encounter when using the SIEM
integration feature.
Related topics
Manage indicators
Pull detections to your SIEM tools
1/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections.
Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be
configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0
authentication protocol for an AAD application that represents the specific SIEM connector installed in your
environment.
Microsoft Defender ATP currently supports the following SIEM tools:
Splunk
HP ArcSight
To use either of these supported SIEM tools you'll need to:
Enable SIEM integration in Microsoft Defender ATP
Configure the supported SIEM tool:
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection
fields.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft
Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related
Alert details.
Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD).
This is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you
allow pop-ups for this site.
TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings
of your browser. It might be blocking the new window being opened when you enable the capability.
2. Select Enable SIEM integration . This activates the SIEM connector access details section with pre-
populated values and an application is created under you Azure Active Directory (AAD) tenant.
WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties
If you want to connect directly to the detections REST API through programmatic access, choose Generic
API .
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
NOTE
You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
detections from Microsoft Defender Security Center.
Related topics
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
Configure Splunk to pull Microsoft Defender ATP
detections
3/25/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.
Configure Splunk
1. Login in to Splunk.
2. Go to Settings > Data inputs .
3. Select Windows Defender ATP aler ts under Local inputs .
NOTE: This input will only appear after you install the Windows Defender ATP Modular Inputs TA.
4. Click New .
5. Type the following values in the required fields, then click Save :
NOTE: All other values in the form are optional and can be left blank.
F IEL D VA L UE
Name Name for the Data Input
For UK:
https://wdatp-alertexporter-
uk.securitycenter.windows.com
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
TIP
To minimize Detection duplications, you can use the following query:
source="rest://wdatp:alerts" | spath | dedup _raw | table *
Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
Configure Micro Focus ArcSight to pull Microsoft
Defender ATP detections
4/8/2020 • 6 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft
Defender ATP detections.
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.
NOTE
You must put the configuration files in this location, where folder_location represents the location where you
installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the
Connector Setup window, select Add a Connector .
5. Select Type: ArcSight FlexConnector REST and click Next .
6. Type the following information in the parameter details form. All other values in the form are optional and
can be left blank.
F IEL D VA L UE
Configuration File Type in the name of the client property file. The name
must match the file provided in the .zip that you
downloaded. For example, if the configuration file in
"flexagent" directory is named "WDATP-
Connector.jsonparser.properties", you must type "WDATP-
Connector" as the name of the client property file.
Events URL Depending on the location of your datacenter, select
either the EU or the US URL:
For EU : https://wdatp-alertexporter-
eu.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME
For UK : https://wdatp-alertexporter-
uk.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME
Refresh Token You can obtain a refresh token in two ways: by generating
a refresh token from the SIEM settings page or using
the restutil tool.
7. A browser window is opened by the connector. Login with your application credentials. After you log in,
you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client
so that the connector configuration can authenticate.
If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that
requests for you to trust the certificate supplied by the connector running on the local host. You'll need to
trust this certificate if the redirect_uri is a https.
If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the
certificate.
8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
9. Select the ArcSight Manager (encr ypted) as the destination and click Next .
10. Type in the destination IP/hostname in Manager Hostname and your credentials in the parameters form.
All other values in the form should be retained with the default values. Click Next .
11. Type in a name for the connector in the connector details form. All other values in the form are optional
and can be left blank. Click Next .
12. The ESM Manager import certificate window is shown. Select Impor t the cer tificate to connector
from destination and click Next . The Add connector Summar y window is displayed and the certificate
is imported.
13. Verify that the details in the Add connector Summar y window is correct, then click Next .
14. Select Install as a ser vice and click Next .
15. Type a name in the Ser vice Internal Name field. All other values in the form can be retained with the
default values or left blank . Click Next .
16. Type in the service parameters and click Next . A window with the Install Ser vice Summar y is shown.
Click Next .
17. Finish the installation by selecting Exit and Next .
Solution:
1. Stop the process by clicking Ctrl + C on the Connector window. Click Y when asked "Terminate batch job
Y/N?".
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the
following value: reauthenticate=true .
3. Restart the connector by running the following command: arcsight.bat connectors .
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
NOTE
Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window
should appear.
Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure Splunk to pull Microsoft Defender ATP detections
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
Microsoft Defender ATP detections API fields
9/20/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Aler t details.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
In general, the OAuth 2.0 protocol supports four types of flows:
Authorization grant flow
Implicit flow
Client credentials flow
Resource owner flow
For more information about the OAuth specifications, see the OAuth Website.
Microsoft Defender ATP supports the Authorization grant flow and Client credential flow to obtain access to pull detections,
with Azure Active Directory (AAD) as the authorization server.
The Authorization grant flow uses user credentials to get an authorization code, which is then used to obtain an access token.
The Client credential flow uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow
is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
NOTE
Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based
on the query parameters you set, enabling you to apply your own grouping and filtering.
resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-
3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
You can now use the value in the access_token field in a request to the Microsoft Defender ATP API.
Request
With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append
the access token to the Authorization header of each request.
Request syntax
M ET H O D REQ UEST URI
For EU :
https://wdatp-alertexporter-eu.windows.com/api/alerts
For US:
https://wdatp-alertexporter-us.windows.com/api/alerts
For UK :
https://wdatp-alertexporter-uk.windows.com/api/alerts
Request header
H EA DER TYPE DESC RIP T IO N
Request parameters
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method
without parameters, the response contains all the alerts in your organization in the last 2 hours.
Example:
https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/Alerts/?
machinegroups=UKMachines&machinegroups=FranceMachines
Request example
The following example demonstrates how to retrieve all the detections in your organization.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token>
The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer <your access token>
Response
The return value is an array of alert objects in JSON format.
Here is an example return value:
{"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Microsoft Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
Code examples
Get access token
The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.
Error codes
The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request.
H T T P ERRO R C O DE DESC RIP T IO N
Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Configure Splunk to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Troubleshoot SIEM tool integration issues
Troubleshoot SIEM tool integration issues
2/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Configure Splunk to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Partner applications in Microsoft Defender ATP
8/9/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat
intelligence capabilities of the platform.
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other
vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box integration
with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC
indicators ingestions and matching, automated device investigation and remediation based on external alerts, and
integration with Security orchestration and automation response (SOAR) systems.
SIEM integration
Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system
interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API
enabling alert status management. For more information, see Enable SIEM integration.
Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise
(IOCs).
Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry
and creating alerts when there's a match; leveraging prevention and automated response capabilities to block
execution and take remediation actions when there's a match.
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking
is supported for file indicators.
Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP)
Connected applications integrates with the Microsoft Defender ATP platform using APIs.
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender
ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over
which APIs can be accessed using the corresponding app.
You'll need to follow these steps to use the APIs with the connected application.
Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs
interactively.
The API Explorer makes it easy to construct and perform API queries, test and send requests for any available
Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might
not yet be available through the user interface.
The tool is useful during app development because it allows you to perform API queries that respect your user
access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug
information.
With the API Explorer, you can:
Run requests for any method and see responses in real-time
Quickly browse through the API samples and learn what parameters they support
Make API calls with ease; no need to authenticate beyond the management portal sign-in
Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
The list of supported APIs is available in the APIs documentation.
FAQ
Do I need to have an API token to use the API Explorer?
Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management
portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on
your behalf.
Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is
limited to the security admin role.
Manage portal access using role-based access
control
2/12/2020 • 2 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to
grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control
over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize
access to security portals. Typical tiers include the following three levels:
Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Microsoft Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign
Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the
consequences of turning on RBAC.
WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in
Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access.
Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD.
Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments
WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign
roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users
assigned to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator
role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or
Security Administrators to the Microsoft Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
Related topic
Create and manage machine groups in Microsoft Defender ATP
Create and manage roles for role-based
access control
3/25/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's
commercially released. Microsoft makes no warranties, express or implied, with respect to the information
provided here.
NOTE
To view Threat & Vulnerability Management data, select Threat and vulnerability
management .
Manage por tal system settings - Users can configure storage settings, SIEM
and threat intel API settings (applies globally), advanced settings, automated file
uploads, roles and machine groups.
NOTE
This setting is only available in the Microsoft Defender ATP administrator (default) role.
IMPORTANT
After creating roles, you'll need to create a machine group and provide access to the machine group by
assigning it to a role that you just created.
Edit roles
1. Select the role you'd like to edit.
2. Click Edit .
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close .
Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role .
Related topic
User basic permissions to access the portal
Create and manage machine groups
Create and manage machine groups
2/12/2020 • 3 minutes to read • Edit Online
Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
In an enterprise scenario, security operation teams are typically assigned a set of machines. These
machines are grouped together based on a set of attributes such as their domains, computer names,
or designated tags.
In Microsoft Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
Assign specific remediation levels to apply during automated investigations
In an investigation, filter the Machines list to just specific machine groups by using the Group
filter.
You can create machine groups in the context of role-based access (RBAC) to control who can take
specific action or see information by assigning the machine group(s) to a user group. For more
information, see Manage portal access using role-based access control.
TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.
NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
TIP
If you want to group machines by organizational unit, you can configure the registry key for the group
affiliation. For more information on device tagging, see Create and manage machine tags.
4. Preview several machines that will be matched by this rule. If you are satisfied with the rule,
click the User access tab.
5. Assign the user groups that can access the machine group you created.
NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email
notification rule, it will be removed from that rule. If the machine group is the only group configured for an
email notification, that email notification rule will be deleted along with the machine group.
By default, machine groups are accessible to all users with portal access. You can change the default
behavior by assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You
cannot change the rank of this group or delete it. However, you can change the remediation level of
this group, and define the Azure AD user groups that can access this group.
NOTE
Applying changes to machine group configuration may take up to several minutes.
Related topics
Manage portal access using role-based based access control
Create and manage machine tags
Get list of tenant machine groups using Graph API
Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online
Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the
network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of
an incident. Tags can be used as a filter in Machines list view, or to group machines. For more information on
machine grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value
NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and
machine page.
To add machine tags using API, see Add or remove machine tags API.
NOTE
Filtering might not work on tag names that contain parenthesis.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of
machines.
Use the following registry key entry to add a tag on a machine:
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ): Group
Registry key data: Name of the tag you want to set
NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose
to restart the endpoint that would transfer a new machine information report.
Configure managed security service provider
integration
2/6/2020 • 8 minutes to read • Edit Online
Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
You'll need to take the following configuration steps to enable the managed security service provider (MSSP)
integration.
NOTE
The following terms are used in this article to distinguish between the service provider and service consumer:
MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
MSSP customers: Organizations that engage the services of MSSPs.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft
Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B
functionality.
You'll need to take the following 2 steps:
Add MSSP user to your tenant as a guest user
Grant MSSP user access to Microsoft Defender Security Center
Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more
information, see Add Azure Active Directory B2B collaboration users in the Azure portal.
Grant MSSP user access to Microsoft Defender Security Center
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role
in your tenant. For more information, see Use basic permissions to access the portal.
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or
groups in your tenant. Fore more information on RBAC in Windows Defender ATP, see Manage portal access using
RBAC.
NOTE
There is no difference between the Member user and Guest user roles from RBAC perspective.
It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the
Azure AD user groups.
MSSPs however, will need to use a tenant-specific URL in the following format:
https://securitycenter.windows.com?tid=customer_tenant_id to access the MSSP customer portal.
In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific
URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select Azure Active Director y > Proper ties . You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the customer_tenant_id value in the following URL:
https://securitycenter.windows.com?tid=customer_tenant_id .
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when
alerts associated with the tenant are created and set conditions are met.
For more information, see Create rules for alert notifications.
These check boxes must be checked:
Include organization name - The customer name will be added to email notifications
Include tenant-specific por tal link - Alert link URL will have tenant specific parameter (tid=target_tenant_id)
that allows direct access to target tenant portal
Fetch alerts from MSSP customer's tenant into the SIEM system
NOTE
This action is taken by the MSSP.
To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Microsoft Defender Security Center
Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows
Defender ATP tenant.
1. Sign in to the Azure AD portal.
2. Select Azure Active Director y > App registrations .
3. Click New registration .
4. Specify the following values:
Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
Supported account types: Account in this organizational directory only
Redirect URI: Select Web and type https://<domain_name>/SiemMsspConnector (replace <domain_name>
with the tenant name)
5. Click Register . The application is displayed in the list of applications you own.
6. Select the application, then click Over view .
7. Copy the value from the Application (client) ID field to a safe place, you will need this in the next step.
8. Select Cer tificate & secrets in the new application panel.
9. Click New client secret .
Description: Enter a description for the key.
Expires: Select In 1 year
10. Click Add , copy the value of the client secret to a safe place, you will need this in the next step.
Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script
uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization
Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is
provisioned in the customer's tenant.
1. Create a new folder and name it: MsspTokensAcquisition .
2. Download the LoginBrowser.psm1 module and save it in the MsspTokensAcquisition folder.
NOTE
In line 30, replace authorzationUrl with authorizationUrl .
3. Create a file with the following content and save it with the name MsspTokensAcquisition.ps1 in the folder:
param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"
Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id=
{2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"
$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}
$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token
Replace <client_id> with the Application (client) ID you got from the previous step.
Replace <app_key> with the Client Secret you created from the previous step.
Replace <customer_tenant_id> with your customer's Tenant ID .
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to
configure your SIEM connector.
Step 3: Whitelist your application on Microsoft Defender Security Center
You'll need to whitelist the application you created in Microsoft Defender Security Center.
You'll need to have Manage por tal system settings permission to whitelist the application. Otherwise, you'll
need to request your customer to whitelist the application for you.
1. Go to https://securitycenter.windows.com?tid=<customer_tenant_id> (replace <customer_tenant_id> with the
customer's tenant ID.
2. Click Settings > SIEM .
3. Select the MSSP tab.
4. Enter the Application ID from the first step and your Tenant ID .
5. Click Authorize application .
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API.
For more information see, Pull alerts to your SIEM tools.
In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application
key manually by settings the secret value.
Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh
token (or acquire it by other means).
Related topics
Use basic permissions to access the portal
Manage portal access using RBAC
Pull alerts to your SIEM tools
Pull alerts using REST API
Microsoft Defender ATP partner opportunities and
scenarios
1/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Partners can easily extend their existing security offerings on top of the open framework and a rich and complete
set of APIs to build extensions and integrations with Microsoft Defender ATP.
The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide
range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft
Defender ATP.
Related topic
Overview of management and APIs
Managed security service provider partnership
opportunities
1/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Security is recognized as a key component in running an enterprise, however some organizations might not have
the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints
and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP) offer to deliver managed detection and
response (MDR) services on top of Microsoft Defender ATP.
Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following
actions:
Get access to MSSP customer's Microsoft Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM) tools
Related topic
Configure managed security service provider integration
Become a Microsoft Defender ATP partner
1/13/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
NOTE
Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first
activity time. After that, the data is no longer available in Office 365 ATP.
Related topics
Configure integration and other advanced features
Microsoft Threat Protection overview
Turn on Microsoft Threat Protection
Protect users, data, and devices with Conditional Access
Enable Conditional Access to better protect users,
devices, and data
2/12/2020 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Conditional Access is a capability that helps you better protect your users and enterprise information by making
sure that only secure devices have access to applications.
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This
helps keep trusted users on trusted devices using trusted applications.
You can define security conditions under which devices and applications can run and access information from your
network by enforcing policies to stop applications from running until a device returns to a compliant state.
The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device
compliance policies and Azure Active Directory (Azure AD) conditional access policies.
The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device
compliance policy rules to access applications.
Related topic
Configure Conditional Access in Microsoft Defender ATP
Microsoft Cloud App Security in Microsoft Defender
ATP overview
3/18/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps
and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements
on data stored in the cloud. For more information, see Cloud App Security.
NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version 1809
or later.
The integration provides the following major improvements to the existing Cloud App Security discovery:
Available everywhere - Since the network activity is collected directly from the endpoint, it's available
wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the
enterprise firewall or proxy servers.
Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security
requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security
integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center
settings and you're good to go.
Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported
with the device context (which device accessed the cloud app), so you are able to understand exactly where
(device) the network activity took place, in addition to who (user) performed it.
For more information about cloud discovery, see Working with discovered apps.
Related topic
Configure Microsoft Cloud App Security integration
Information protection in Windows overview
4/6/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep
sensitive data secure while enabling productivity in the workplace.
TIP
Read our blog post about how Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.
Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
Data discover y - Identify sensitive data on Windows devices at risk
Data classification - Automatically classify data based on common Microsoft Information Protection (MIP)
policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive
data even if the end user hasn’t manually classified it.
Data protection - Windows Information Protection (WIP) as outcome of Azure Information Protection label
Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP,
indicating the risk level of the security device where the file was discovered, based on the active security threats
detected by Microsoft Defender ATP.
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
NOTE
Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered
files.
Log Analytics
Data discovery based on Microsoft Defender ATP is also available in Azure Log Analytics, where you can perform
complex queries over the raw data.
For more information on Azure Information Protection analytics, see Central reporting for Azure Information
Protection.
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Microsoft Defender ATP data, perform a query that contains:
InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"
Prerequisites:
Customers must have a subscription for Azure Information Protection.
Enable Azure Information Protection integration in Microsoft Defender Security Center:
Go to Settings in Microsoft Defender Security Center, click on Advanced Settings under General .
Related topics
How Windows Information Protection protects files with a sensitivity label
Access the Microsoft Defender ATP Community
Center
5/15/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and
share experiences about the product.
There are several spaces you can explore to learn about specific information:
Announcements
What's new
Threat Intelligence
There are several ways you can access the Community Center:
In the Microsoft Defender Security Center navigation pane, select Community center . A new browser tab
opens and takes you to the Microsoft Defender ATP Tech Community page.
Access the community through the Microsoft Defender Advanced Threat Protection Tech Community page
You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the
community. For more information on how to get started in the Microsoft Tech Community, see Microsoft Tech
Community: Getting Started.
Helpful Microsoft Defender Advanced Threat
Protection resources
1/21/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat
Protection.
Operational
The Golden Hour remake - Defining metrics for a successful security operations
Microsoft Defender ATP Evaluation lab is now available in public preview
How automation brings value to your security teams
Check sensor health state in Microsoft Defender ATP
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the
individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It
reports how many machines require attention and helps you identify problematic machines and take action to
correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not
reporting properly to the service:
Misconfigured - These machines might partially be reporting sensor data to the Microsoft Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven
days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
You can also download the entire list in CSV format using the Expor t to CSV feature. For more information on
filters, see View and organize the Machines list.
You can filter the health state list by the following status:
Active - Machines that are actively reporting to the Microsoft Defender ATP service.
Misconfigured - These machines might partially be reporting sensor data to the Microsoft Defender ATP
service but have configuration errors that need to be corrected. Misconfigured machines can have either one or
a combination of the following issues:
No sensor data - Machines has stopped sending sensor data. Limited alerts can be triggered from the
machine.
Impaired communications - Ability to communicate with machine is impaired. Sending files for deep
analysis, blocking files, isolating machine from network and other actions that require communication
with the machine may not work.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine.
In the Machines list , you can download a full list of all the machines in your organization in a CSV format.
NOTE
Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization,
regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on
how large your organization is.
Related topic
Fix unhealthy sensors in Microsoft Defender ATP
Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through
the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP
service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through
the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP
service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Microsoft Defender ATP
Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through
the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP
service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through
the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP
service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Microsoft Defender ATP
Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.
Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and
deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is
reporting normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.
Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
Related topic
Check sensor health state in Microsoft Defender ATP
Review events and errors using Event Viewer
9/20/2019 • 10 minutes to read • Edit Online
Applies to:
Event Viewer
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
You can review event IDs in the Event Viewer on individual machines.
For example, if machines are not appearing in the Machines list , you might need to look for event IDs on the
machines. You can then use this table to determine further troubleshooting steps.
NOTE
It can take several days for machines to begin reporting to the Microsoft Defender ATP service.
Open Event Viewer and find the Microsoft Defender ATP ser vice event log:
1. Click Star t on the Windows menu, type Event Viewer , and press Enter .
2. In the log list, under Log Summar y , scroll until you see Microsoft-Windows-SENSE/Operational .
Double-click the item to open the log.
a. You can also access the log by expanding Applications and Ser vices Logs > Microsoft > Windows
> SENSE and click on Operational .
NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by
the service.
12 Microsoft Defender Service was unable to apply This error should resolve
Advanced Threat Protection the default configuration. after a short period of time.
failed to apply the default
configuration.
17 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to change the Check that the onboarding
Connected User Experiences settings and scripts were
and Telemetry service deployed properly. Try to
location. Failure code: redeploy the configuration
variable . packages.
See Onboard Windows 10
machines.
18 OOBE (Windows Welcome) Service will only start after Normal operating
is completed. any Windows updates have notification; no action
finished installing. required.
19 OOBE (Windows Welcome) Service will only start after Normal operating
has not yet completed. any Windows updates have notification; no action
finished installing. required.
If this error persists after a
system restart, ensure all
Windows updates have full
installed.
20 Cannot wait for OOBE Internal error. If this error persists after a
(Windows Welcome) to system restart, ensure all
complete. Failure code: Windows updates have full
variable . installed.
25 Microsoft Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. It will settings and scripts were
service failed to reset health report to the portal, deployed properly. Try to
status in the registry. Failure however the service may redeploy the configuration
code: variable . not appear as registered in packages.
SCCM or the registry. See Onboard Windows 10
machines.
26 Microsoft Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. settings and scripts were
service failed to set the It will report to the portal, deployed properly. Try to
onboarding status in the however the service may redeploy the configuration
registry. Failure code: not appear as registered in packages.
variable . SCCM or the registry. See Onboard Windows 10
machines.
28 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
Connected User Experiences Check that the onboarding
and Telemetry service settings and scripts were
registration failed. Failure deployed properly. Try to
code: variable . redeploy the configuration
packages.
See Onboard Windows 10
machines.
29 Failed to read the This event occurs when the Ensure the machine has
offboarding parameters. system can't read the Internet access, then run the
Error type: %1, Error code: offboarding parameters. entire offboarding process
%2, Description: %3 again. Ensure the
offboarding package has not
expired.
31 Microsoft Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows telemetry service.
Connected User Experiences during onboarding. The
and Telemetry service offboarding process
unregistration failed. Failure continues.
code: variable .
32 Microsoft Defender An error occurred during Reboot the machine.
Advanced Threat Protection offboarding.
service failed to request to
stop itself after offboarding
process. Failure code: %1
34 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to add itself as Check that the onboarding
a dependency on the settings and scripts were
Connected User Experiences deployed properly. Try to
and Telemetry service, redeploy the configuration
causing onboarding process packages.
to fail. Failure code: See Onboard Windows 10
variable . machines.
35 Microsoft Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows diagnostic data
service failed to remove during offboarding. The service.
itself as a dependency on offboarding process
the Connected User continues.
Experiences and Telemetry
service. Failure code:
variable .
40 Battery state is identified as The machine has low battery Normal operating
low. Microsoft Defender level and will contact the notification; no action
Advanced Threat Protection server less frequently. required.
will contact the server every
%1 minutes. Battery state:
%2.
42 Microsoft Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception
message: %4
43 Microsoft Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception Error:
%4, Exception message: %5
45 Failed to register and to An error occurred on service If this error persists, contact
start the event trace session startup while creating ETW Support.
[%1]. Error code: %2 session. This caused service
start-up failure.
48 Failed to add a provider [%1] Failed to add a provider to Check the error code. If the
to event trace session [%2]. ETW session. As a result, the error persists contact
Error code: %3. This means provider events aren’t Support.
that events from this reported.
provider will not be
reported.
Related topics
Onboard Windows 10 machines
Configure machine proxy and Internet connectivity settings
Troubleshoot Microsoft Defender ATP
Troubleshoot service issues
9/20/2019 • 2 minutes to read • Edit Online
This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
NOTE
You must use the HTTPS protocol when adding the following endpoints.
Microsoft Defender ATP service shows event or error logs in the Event
Viewer
See the topic Review events and errors using Event Viewer for a list of event IDs that are reported by the Microsoft
Defender ATP service. The topic also contains troubleshooting steps for event errors.
Microsoft Defender ATP service fails to start after a reboot and shows
error 577
If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and
shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see Ensure that Windows Defender Antivirus is not disabled by policy.
Related topics
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Review events and errors using Event Viewer
Check the Microsoft Defender Advanced Threat
Protection service health
9/20/2019 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
The Ser vice health provides information on the current status of the Window Defender ATP service. You'll be able
to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related
to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution
time.
You'll also see information on historical issues that have been resolved and details such as the date and time when
the issue was resolved. When there are no issues on the service, you'll see a healthy status.
You can view details on the service health by clicking the tile from the Security operations dashboard or
selecting the Ser vice health menu from the navigation pane.
The Ser vice health details page has the following tabs:
Current status
Status histor y
Current status
The Current status tab shows the current state of the Microsoft Defender ATP service. When the service is
running smoothly a healthy service health is shown. If there are issues seen, the following service details are
shown to help you gain better insight about the issue:
Date and time for when the issue was detected
A short description of the issue
Update time
Summary of impact
Preliminary root cause
Next steps
Expected resolution time
Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on
information such as an updated estimate resolution time or next steps.
When an issue is resolved, it gets recorded in the Status histor y tab.
Status history
The Status histor y tab reflects all the historical issues that were seen and resolved. You'll see details of the
resolved issues along with the other information that were included while it was being resolved.
Related topic
View the Security operations dashboard
Troubleshoot Microsoft Defender Advanced Threat
Protection live response issues
4/2/2020 • 2 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
This page provides detailed steps to troubleshoot live response issues.
$copied_file_path=$args[0]
$action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue
if ($action){
Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully"
}
else{
Write-Output "Error occoured while trying to copy a file, details:"
Write-Output $error[0].exception.message
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
IT administrators
When you use Network protection you may encounter issues, such as:
Network protection blocks a website that is safe (false positive)
Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs
Confirm prerequisites
Network protection will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators
Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Cloud-delivered protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0 ).
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to
the IP address you do or don't want to block).
3. Review the network protection event logs to see if the feature would have blocked the connection if it had
been set to Enabled .
If network protection is not blocking a connection that you are expecting it should block, enable the feature.
Set-MpPreference -EnableNetworkProtection Enabled
mpcmdrun -getfiles
Related topics
Network protection
Evaluate network protection
Enable network protection
Troubleshoot attack surface reduction rules
12/23/2019 • 3 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
When you use attack surface reduction rules you may run into issues, such as:
A rule blocks a file, process, or performs some other action that it should not (false positive)
A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs
Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other
antivirus app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0 ) as described in Enable
attack surface reduction rules.
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
IMPORTANT
You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or
folders that are excluded will be excluded from all ASR rules.
mpcmdrun -getfiles
Related articles
Attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Review event logs and error codes to troubleshoot
issues with Windows Defender Antivirus
11/20/2019 • 33 minutes to read • Edit Online
Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a
matching issue and potential solution.
The tables list:
Windows Defender Antivirus event IDs (these apply to both Windows 10 and Windows Server 2016)
Windows Defender Antivirus client error codes
Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)
TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features
are working:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
Scan
Reso
urce
s:
<Re
sour
ces
(suc
h as
files/
dire
ctori
es/B
HO)
that
wer
e
scan
ned.
>
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>
<
User
>
Scan
Tim
e:
<Th
e
dura
tion
of a
scan
.>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Type
:
<Sc
an
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:
F
u
l
l
s
c
a
n
Q
u
i
c
k
s
c
a
n
C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The antivirus client encountered an error, and the current
scan has stopped. The scan might fail due to a client-side
issue. This event record includes the scan ID, type of scan
(Windows Defender Antivirus, antispyware, antimalware), scan
parameters, the user that started the scan, the error code,
and a description of the error. To troubleshoot this event:
1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<Sta
tus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Stat
us:
<Sta
tus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Stat
us:
<Sta
tus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<Sta
tus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e ID:
Enu
mer
atio
n
mat
chin
g
seve
rity.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Fidel
ity
Lab
el:
Targ
et
File
Na
me:
<Fil
e
nam
e>
Na
me
of
the
file.
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is required. Windows Defender Antivirus can
suspend and take routine action on this threat. If you want to
remove the threat manually, in the Windows Defender
Antivirus interface, click Clean Computer .
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
O P E R AT I N G S Y S T E M O P E R AT I N G S Y S T E M V E R S I O N
Client Operating System Windows Vista (Service Pack
1, or Service Pack 2),
Windows 7 and later
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
L
o
w
M
o
d
e
r
a
t
e
H
i
g
h
S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n
L
o
c
a
l
c
o
m
p
u
t
e
r
N
e
t
w
o
r
k
s
h
a
r
e
I
n
t
e
r
n
e
t
I
n
c
o
m
i
n
g
t
r
a
f
f
i
c
O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Type
:
<De
tecti
on
type
>,
for
exa
mpl
e:
H
e
u
r
i
s
t
i
c
s
G
e
n
e
r
i
c
C
o
n
c
r
e
t
e
D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:
U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d
S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d
I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d
N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m
I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s
E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:
C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d
Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d
R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d
A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t
U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d
N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: The Windows Defender Antivirus client encountered this error
due to critical issues. The endpoint might not be protected.
Review the error description then follow the relevant User
action steps below.
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Type
:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
S
e
c
u
r
i
t
y
i
n
t
e
l
l
i
g
e
n
c
e
u
p
d
a
t
e
f
o
l
d
e
r
I
n
t
e
r
n
a
l
s
e
c
u
r
i
t
y
i
n
t
e
l
l
i
g
e
n
c
e
u
p
d
a
t
e
s
e
r
v
e
r
M
i
c
r
o
s
o
f
t
U
p
d
a
t
e
S
e
r
v
e
r
F
i
l
e
s
h
a
r
e
M
i
c
r
o
s
o
f
t
M
a
l
w
a
r
e
P
r
o
t
e
c
t
i
o
n
C
e
n
t
e
r
(
M
M
P
C
)
Upd
ate
Stag
e:
<Up
date
stag
e>,
for
exa
mpl
e:
S
e
a
r
c
h
D
o
w
n
l
o
a
d
I
n
s
t
a
l
l
Sour
ce
Path
: File
shar
e
nam
e for
Univ
ersal
Na
min
g
Con
vent
ion
(UN
C),
serv
er
nam
e for
Win
dow
s
Serv
er
Upd
ate
Serv
ices
(WS
US)/
Micr
osof
t
Upd
ate/
ADL
.
Sign
atur
e
Type
:
<Sig
natu
re
type
>,
for
exa
mpl
e:
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Type
:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
User action: The Windows Defender Antivirus client update failed. This
event occurs when the client fails to update itself. This event
is usually due to an interruption in network connectivity
during an update. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
2. Contact Microsoft Technical Support.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Type
:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Persi
sten
ce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Persi
sten
ce
Limi
t
Type
:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Persi
sten
ce
Limi
t:
Persi
sten
ce
limit
of
the
fast
path
sign
atur
e.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Type
:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Persi
sten
ce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Rem
oval
Reas
on:
Persi
sten
ce
Limi
t
Type
:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Persi
sten
ce
Limi
t:
Persi
sten
ce
limit
of
the
fast
path
sign
atur
e.
A
n
t
i
v
i
r
u
s
A
n
t
i
s
p
y
w
a
r
e
A
n
t
i
m
a
l
w
a
r
e
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Dyn
amic
Sign
atur
e
Type
:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:
V
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
D
u
r
a
t
i
o
n
Persi
sten
ce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Persi
sten
ce
Limi
t
Type
:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:
V
D
M
v
e
r
s
i
o
n
T
i
m
e
s
t
a
m
p
N
o
l
i
m
i
t
Persi
sten
ce
Limi
t:
Persi
sten
ce
limit
of
the
fast
path
sign
atur
e.
Description: The support for your operating system will expire shortly.
Running Windows Defender Antivirus on an out of support
operating system is not an adequate solution to protect
against threats.
Description: The support for your operating system has expired. Running
Windows Defender Antivirus on an out of support operating
system is not an adequate solution to protect against threats.
Description: The support for your operating system has expired. Windows
Defender Antivirus is no longer supported on your operating
system, has stopped functioning, and is not protecting
against malware threats.
O
n
A
c
c
e
s
s
I
n
t
e
r
n
e
t
E
x
p
l
o
r
e
r
d
o
w
n
l
o
a
d
s
a
n
d
M
i
c
r
o
s
o
f
t
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Erro
r
Cod
e:
<Err
or
cod
e>
Resu
lt
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: You should restart the system then run a full scan because it's
possible the system was not protected for some time. The
Windows Defender Antivirus client's real-time protection
feature encountered an error because one of the services
failed to start. If it is followed by a 3007 event ID, the failure
was temporary and the antimalware client recovered from
the failure.
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.
User action: The real-time protection feature has restarted. If this event
happens again, contact Microsoft Technical Support.
O
n
A
c
c
e
s
s
I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s
B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g
N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Con
figur
atio
n:
Message ERR_MP_NO_MEMORY
Possible reason This error indicates that you might have run out of memory.
Message ERR_MP_BAD_INPUT_DATA
Possible reason This error indicates that there might be a problem with your
security product.
Or,
b. Download the latest definitions from the
Microsoft Security Intelligence site. Note: The
size of the definitions file downloaded from the
site can exceed 60 MB and should not be used
as a long-term solution for updating
definitions.
2. Run a full scan.
3. Restart the device and try again.
Message ERR_MP_BAD_CONFIGURATION
Message ERR_MP_QUARANTINE_FAILED
Possible reason This error indicates that Windows Defender Antivirus failed to
quarantine a threat.
Message ERR_MP_REBOOT_REQUIRED
0X80508023
Message ERR_MP_THREAT_NOT_FOUND
Possible reason This error indicates that the threat might no longer be
present on the media, or malware might be stopping you
from scanning your device.
Resolution Run the Microsoft Safety Scanner then update your security
software and try again.
Message ERR_MP_FULL_SCAN_REQUIRED
Possible reason This error indicates that a full system scan might be required.
Message ERR_MP_MANUAL_STEPS_REQUIRED
Possible reason This error indicates that manual steps are required to
complete threat removal.
Message ERR_MP_REMOVE_NOT_SUPPORTED
Possible reason This error indicates that removal inside the container type
might not be not supported.
Possible reason This error indicates that removal of low and medium threats
might be disabled.
Message ERROR_MP_RESCAN_REQUIRED
Message ERROR_MP_CALLISTO_REQUIRED
Resolution Run offline Windows Defender Antivirus. You can read about
how to do this in the offline Windows Defender Antivirus
article.
Possible reason This error indicates that Windows Defender Antivirus does
not support the current version of the platform and requires
a new version of the platform.
The following error codes are used during internal testing of Windows Defender Antivirus.
If you see these errors, you can try to update definitions and force a rescan directly on the endpoint.
0x80501001 ERROR_MP_ACTIONS_FA
ILED
0x80501002 ERROR_MP_NOENGINE
0x80501003 ERROR_MP_ACTIVE_THR
EATS
0x805011011 MP_ERROR_CODE_LUA_
CANCELLED
0x80501101 ERROR_LUA_CANCELL AT
ION
0x80501102 MP_ERROR_CODE_ALRE
ADY_SHUTDOWN
0x80501103 MP_ERROR_CODE_RDEV
ICE_S_ASYNC_CALL_PEN
DING
0x80501104 MP_ERROR_CODE_CANC
ELLED
0x80501105 MP_ERROR_CODE_NO_T
ARGETOS
0x80501106 MP_ERROR_CODE_BAD_
REGEXP
0x80501107 MP_ERROR_TEST_INDUC
ED_ERROR
0x80501108 MP_ERROR_SIG_BACKUP
_DISABLED
0x80508001 ERR_MP_BAD_INIT_MOD
ULES
0x80508002 ERR_MP_BAD_DATABASE
0x80508004 ERR_MP_BAD_UFS
0x8050800C ERR_MP_BAD_INPUT_DA
TA
0x8050800D ERR_MP_BAD_GLOBAL_S
TORAGE
0x8050800E ERR_MP_OBSOLETE
0x8050800F ERR_MP_NOT_SUPPORTE
D
0x80508011 ERR_MP_DUPLICATE_SC
ANID
0x80508012 ERR_MP_BAD_SCANID
0x80508013 ERR_MP_BAD_USERDB_V
ERSION
0x80508014 ERR_MP_RESTORE_FAILE
D
0x80508016 ERR_MP_BAD_ACTION
0x80508019 ERR_MP_NOT_FOUND
0x80509001 ERR_RELO_BAD_EHANDL
E
0x80509003 ERR_RELO_KERNEL_NOT_
LOADED
0x8050A001 ERR_MP_BADDB_OPEN
0x8050A002 ERR_MP_BADDB_HEADE
R
0x8050A003 ERR_MP_BADDB_OLDEN
GINE
0x8050A004 ERR_MP_BADDB_CONTE
NT
0x8050A005 ERR_MP_BADDB_NOTSIG
NED
Related topics
Report on Windows Defender Antivirus protection
Windows Defender Antivirus in Windows 10
minutes to read • Edit Online
Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs
Understand malware & other threats
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Keep up with the latest malware news and research. Check out our Microsoft Security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
minutes to read • Edit Online
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use
of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your
computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or
on the go. With Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), businesses can stay
protected with next-generation protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Exploits and exploit kits
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
Keep up with the latest malware news and research. Check out our Microsoft security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
minutes to read • Edit Online
Malware authors are always looking for new ways to infect computers. Follow the tips below to stay protected
and minimize threats to your data and accounts.
We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO) malware naming scheme. The scheme uses the following format:
When our analysts research a particular threat, they will determine what each of the components of the name will
be.
Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
Hacktool
Joke
Misleading
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm
Platforms
Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work
on. The platform is also used to indicate programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS-DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
MacOS: MAC 9.x platform or earlier
MacOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V-based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: Javascript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .Net intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (Staroffice XML) files
SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files
Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.
Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".
Suffixes
Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the
example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
minutes to read • Edit Online
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as
cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by
reconfiguring malware.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.
What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless
malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
Given that attacks involve several stages for functionalities like execution, persistence, or information theft, some
parts of the attack chain may be fileless, while others may involve the filesystem in some form.
For clarity, fileless threats are grouped into different categories.
Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive.
However, macro malware uses this functionality to infect your device.
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of
electronic communication that often look to be official communication from legitimate companies or individuals.
The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be
user names and passwords, credit card details, bank account information, or other credentials. Attackers can then
use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from
bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.
There is a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form of
an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address
but has added numbers or changed letters.
The message is unexpected and unsolicited . If you suddenly receive an email from an entity or a person
you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications . Normal emails will not ask you to do this.
The message contains errors . Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address does not match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself does not personally address you . Apart from messages that
mistakenly address a different person, those that misuse your name or pull your name directly from your
email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that are not quite right such as
outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in
websites.
The page that opens is not a live page but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
For more information, download and read this Microsoft e-book on preventing social engineering attacks,
especially in enterprise environments.
Software solutions for organizations
Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of
targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website
is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby
preventing access to your enterprise data.
Microsoft Exchange Online Protection (EOP) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies. Using various layers of
filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international
spam, that will further enhance your protection services.
Use Office 365 Advanced Threat Protection (ATP) to help protect your email, files, and online storage
against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint
Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection
against malicious links, it complements the security features of Exchange Online Protection to provide
better zero-day protection.
For more tips and software solutions, see prevent malware infection.
Ransomware is a type of malware that encrypts files and folders, preventing access to important files.
Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in
exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they
encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack
vectors, makes older platforms especially susceptible to ransomware attacks.
Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal
information and resources.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.
Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.
Unwanted software are programs that alter the Windows experience without your consent or control. This can take
the form of modified browsing experience, lack of control over downloads and installation, misleading messages,
or unauthorized changes to Windows settings.
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and
in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software
and online content. When you download, install, and run software, we check the reputation of downloaded
programs and ensure you are protected against known threats and warned about software that is unknown to us.
You can assist Microsoft by submitting unknown or suspicious software for analysis. This will help ensure that
unknown or suspicious software is scanned by our system to start establishing reputation. Learn more about
submitting files for analysis
The next sections provide an overview of the classifications we use for applications and the types of behaviors that
lead to that classification.
NOTE
New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list
may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or
announcement.
Malware
Malware is the overarching name for applications and other code, like software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software may steal your
personal information, lock your device until you pay a ransom, use your device to send spam, or download other
malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in
vulnerable states.
Microsoft classifies most malicious software into one of the following categories:
Backdoor : A type of malware that gives malicious hackers remote access to and control of your device.
Downloader : A type of malware that downloads other malware onto your device. It must connect to the
internet to download files.
Dropper : A type of malware that installs other malware files onto your device.Unlike a downloader, a
dropper doesn't have to connect to the internet to drop malicious files. The dropped files are typically
embedded in the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your device and perform other
tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your device.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or
Excel documents. The virus is run when you open an infected document.
Obfuscator : A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer : A type of malware that gathers your personal information, such as usernames and
passwords. It often works along with a keylogger, which collects and sends information about the keys you
press and websites you visit.
Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your device. It then displays a ransom note which states you must pay money, complete
surveys, or perform other actions before you can use your device again. See more information about
ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your device. It also
tries to convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once
installed, trojans perform various malicious activities such as stealing personal information, downloading
other malware, or giving attackers access to your device.
Trojan clicker : A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your device.
Worm: A type of malware that spreads to other devices. Worms can spread through email, instant
messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated
worms take advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your device through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your device, including what software does and whether it is
active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your device. This is considered behavior
that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your device's health.
Make misleading or inaccurate claims about files, registry entries, or other items on your device.
Display claims in an alarming manner about your device's health and require payment or certain actions in
exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software should not include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your device. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are
considered non-extensible and should not be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your
consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or
disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups when you try to uninstall it.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must not
open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software for
analysis. Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates Security
intelligence for software that meets the described criteria. This Security intelligence identifies the software as
malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware
solutions.
If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)
NOTE
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2
in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
Important information
The security intelligence update version of the Microsoft Safety Scanner matches the version described in
this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being
downloaded. We recommend that you always download the latest version of this tool before each scan.
Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on
the desktop. Note where you saved this download.
This tool does not replace your antimalware product. For real-time protection with automatic updates, use
Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on Windows
7. These antimalware products also provide powerful malware removal capabilities. If you are having
difficulties removing malware with these products, you can refer to our help on removing difficult threats.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview,
Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server
2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the Microsoft
Lifecycle Policy.
Related resources
Troubleshooting Safety Scanner
Windows Defender Antivirus
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
Top scoring in industry tests
4/6/2020 • 5 minutes to read • Edit Online
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) technologies consistently achieve high
scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft
aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Download the latest transparency repor t: Examining industr y test results, November 2019
AV -TEST: Protection score of 5.5/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and
usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-
TEST reference set (known as "Prevalent Malware").
January - February 2020 AV-TEST Business User test: Protection score 5.5/6.0 L atest
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples
used.
November - December 2019 AV-TEST Business User test: Protection score 6.0/6.0
September - October 2019 AV-TEST Business User test: Protection score 5.5/6.0
July — August 2019 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
May — June 2019 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
March — April 2019 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
January — February 2019 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
November — December 2018 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
September — October 2018 AV-TEST Business User test: Protection score 6.0/6.0 | Analysis
AV -Comparatives: Protection rating of 99.6% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware
attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example
by USB), and the Performance Test that looks at the impact on the system's performance.
Business Security Test 2019 (August — November): Real-World Protection Rate 99.6% L atest
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year,
with 99.6% in the latest test.
Business Security Test 2019 Factsheet (August — September): Real-World Protection Rate 99.9% | Analysis
Business Security Test 2019 (March — June): Real-World Protection Rate 99.9% | Analysis
Business Security Test 2018 (August — November): Real-World Protection Rate 99.6%
Business Security Test 2018 (March — June): Real-World Protection Rate 98.7%
SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including
endpoint software, network appliances, and cloud services.
Enterprise Endpoint Protection October — December 2019: AAA award pdf
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all
but two public threats.
Enterprise Endpoint Protection July — September 2019: AAA award pdf | Analysis
Enterprise Endpoint Protection April — June 2019: AAA award pdf | Analysis
Enterprise Endpoint Protection January — March 2019: AAA award pdf | Analysis
Enterprise Endpoint Protection October — December 2018: AAA award pdf | Analysis
Read our analysis: MITRE evaluation highlights industr y-leading EDR capabilities in Windows
Defender ATP
MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also
known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off.
Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK
framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and
tactics.
ATT&CK-based evaluation: Leading optics and detection capabilities | Analysis
Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack
chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced,
automatic detection through machine learning, heuristics, and behavior monitoring.
Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling
in the right program can help you protect your customers, gain more insight into the current threat landscape, or
assist in disrupting the malware ecosystem.
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers,
security service providers, antimalware testing organizations, and other organizations involved in fighting
cybercrime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft, with the goal of improving protection for Microsoft customers.
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with
Windows.
MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files.
Members also get malware telemetry and samples and invitations to security related events and conferences.
Become a member
A request for membership is made by an individual as a representative of an organization that develops and
produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements
to qualify for the MVI program:
1. Offer an antimalware or antivirus product that is one of the following:
Your organization's own creation.
Developed by using an SDK (engine and other components) from another MVI Partner company and
your organization adds a custom UI and/or other functionality.
2. Have your own malware research team unless you build a product based on an SDK.
3. Be active and have a positive reputation in the antimalware industry.
Activity can include participation in industry conferences or being reviewed in an industry standard
report such as AV Comparatives, OPSWAT or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
5. Be willing to sign a program license agreement.
6. Be willing to adhere to program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
7. Submit your app to Microsoft for periodic performance testing.
8. Certified through independent testing by at least one industry standard organization.
AV-Test Must pass tests for Windows. Achieve "AV-TEST Certified" (for home
Certifications for Mac and Linux are not users) or "AV-TEST Approved” (for
accepted corporate users)
https://www.av-test.org/en/about-the-
institute/certification/
NSS Labs Advanced Endpoint Protection AEP 3.0, “Neutral” rating from NSS
which covers automatic threat
prevention and threat event reporting
capabilities
https://www.nsslabs.com/tested-
technologies/advanced-endpoint-
protection/
SKD Labs Certification Requirements Product: SKD Labs Star Check Certification
Anti-virus or Antimalware Requirements Pass >= 98.5 % with On
http://www.skdlabs.com/html/english/ Demand, On Access and Total Detection
http://www.skdlabs.com/cert/ tests
Apply now
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
minutes to read • Edit Online
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against
malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective
communities, customers, and businesses.
Learn about the common questions we receive from software developers and get other developer resources such
as detection criteria and file submissions.
In this section
TO P IC DESC RIP T IO N
This page provides answers to common questions we receive from software developers. For general guidance
about submitting malware or incorrectly detected files, read the submission guide.
Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions
Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Windows Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.
FIPS 140-2 Validation
12/24/2019 • 160 minutes to read • Edit Online
Secure Kernel Code Integrity 10.0.17134 #3096 See Security Policy and
Certificate page for
algorithm information
W i n d o w s 1 0 F a l l C r e a t o r s U p d a t e (Ve r si o n 1 70 9 )
W i n d o w s 1 0 C r e a t o r s U p d a t e (Ve r si o n 1 70 3 )
Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #1133); FIPS186-
4 RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#1281); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#1278)
Kernel Mode 10.0.15063 #3094 #3094
Cr yptographic Primitives
Librar y (cng.sys) FIPS Approved
algorithms: AES (Certs.
#4624 and #4626); CKG
(vendor affirmed); CVL
(Certs. #1278 and
#1281); DRBG (Cert.
#1555); DSA (Cert.
#1223); ECDSA (Cert.
#1133); HMAC (Cert.
#3061); KAS (Cert.
#127); KBKDF (Cert.
#140); KTS (AES Cert.
#4626; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2521 and
#2523); SHS (Cert.
#3790); Triple-DES (Cert.
#2459)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert.#1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert.#2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive
(Cert.#1281)
Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#886)
Kernel Mode 10.0.14393 #2936 FIPS Approved
Cr yptographic Primitives algorithms: AES (Cert.
Librar y (cng.sys) #4064); DRBG (Cert.
#1217); DSA (Cert.
#1098); ECDSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2192, #2193
and #2195); SHS (Cert.
#3347); Triple-DES (Cert.
#2227)
Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
[4] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[5] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[6] Applies only to Home, Pro and Enterprise
[7] Applies only to Pro, Enterprise, Mobile and Surface Hub
[8] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 1 0 (Ve r si o n 1 5 0 7)
Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
Other algorithms:
MD5#1168 and ); HMAC
(Cert. ); RSA (Cert. ); SHS
(Cert. )
W i n d o w s Vi st a SP 1
W i n d o w s Vi st a
W i n d o w s X P SP 3
W i n d o w s X P SP 2
W i n d o w s X P SP 1
W indow s XP
W i n d o w s 2 0 0 0 SP 3
Cr yptographic Module Version (link to Security FIPS Cer tificate # Algorithms
Policy)
W i n d o w s 2 0 0 0 SP 2
W i n d o w s 2 0 0 0 SP 1
W indow s 2000
W in dow s 9 5 an d W in dow s 9 8
W i n d o w s N T 4 .0
Secure Kernel Code Integrity 10.0.17134 #3096 See Security Policy and
Certificate page for
algorithm information
W i n d o w s Se r v e r (Ve r si o n 1 70 9 )
Secure Kernel Code Integrity 10.0.16299 #3096 See Security Policy and
Certificate page for
algorithm information
W i n d o w s Se r v e r 2 0 1 6
W i n d o w s Se r v e r 2 0 1 2 R 2
[16] Does not apply to Azure StorSimple Vir tual Array Windows Ser ver 2012 R2
[17] Does not apply to Azure StorSimple Vir tual Array Windows Ser ver 2012 R2
Windows Ser ver 2012
Validated Editions: Server, Storage Server
W i n d o w s Se r v e r 2 0 0 8 R 2
W i n d o w s Se r v e r 2 0 0 8
W i n d o w s Se r v e r 2 0 0 3 SP 2
W i n d o w s Se r v e r 2 0 0 3 SP 1
Enhanced DSS and Diffie- 5.2.3790.1830 [Service Pack 381 FIPS Approved
Hellman Cryptographic 1] algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert.
#81)
Other algorithms: DES
(Cert. #229[1]); Diffie-
Hellman (key
agreement); RC2; RC4;
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64
W i n d o w s Se r v e r 2 0 0 3
Other Products
W i n d o w s Em b e d d e d C o m p a c t 7 a n d W i n d o w s Em b e d d e d C o m p a c t 8
W i n d o w s C E 6 .0 a n d W i n d o w s Em b e d d e d C o m p a c t 7
Cryptographic Algorithms
The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each
algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation
Program (CAVP) issued certificate.
Advanced Encryption Standard (AES )
AES Val#4897
AES-CCM: Microsoft Surface Hub BitLocker(R) Cryptographic
Implementations #4896
Key Lengths: 256 (bits)
Tag Lengths: 128 (bits) Version 10.0.15063.674
IV Lengths: 96 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES Val#4902
CBC ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #4627
CFB128 ( e/d; 128 , 192 , 256 );
Version 10.0.15063
OFB ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Windows 10 Creators Update (version 1703) Home, Pro,
256 , 192 , 320 , 2048 ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
Cryptography Next Generation (CNG) Implementations
AES Val#4624 #4626
Version 10.0.15063
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 10 Creators Update (version 1703) Home, Pro,
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Enterprise, Education, Windows 10 S, Windows 10 Mobile
Length(s): 16 ) BitLocker(R) Cryptographic Implementations #4625
AES Val#4624 Version 10.0.15063
ECB ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
CBC ( e/d; 128 , 192 , 256 ); SymCrypt Cryptographic Implementations #4624
CFB8 ( e/d; 128 , 192 , 256 ); Version 10.0.15063
CFB128 ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 ,
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8
, 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4434
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4433
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4431
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4430
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
CTR ( int only; 128 , 192 , 256 )
CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
CFB128 ( e/d; 128 , 192 , 256 ); Surface Book, Surface Pro 4 and Surface Pro 3 w/
OFB ( e/d; 128 , 192 , 256 ); Windows 10 Anniversary Update Virtual TPM
Implementations #4074
CTR ( int only; 128 , 192 , 256 )
Version 10.0.14393
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Server 2016, Windows Storage Server 2016; Microsoft
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , and Lumia 650 w/ Windows 10 Mobile Anniversary
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 Update SymCrypt Cryptographic Implementations #4064
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
Version 10.0.14393
CMAC (Generation/Verification ) (KS: 128; Block
Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag
Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial
; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128 ( (e/d) (f) ) KS: XTS_256 ( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows Server
2016, Windows Storage Server 2016; Microsoft Surface Book,
CBC ( e/d; 128 , 192 , 256 ); Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
CFB8 ( e/d; 128 , 192 , 256 ); Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Implementations #4063
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 Microsoft Windows 10 Anniversary Update, Windows
, 192 , 256 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#4064 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #4062
Version 10.0.14393
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 Anniversary Update, Windows
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Server 2016, Windows Storage Server 2016; Microsoft
Length(s): 16 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
AES Val#4064 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update BitLocker® Cryptographic Implementations
#4061
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 Microsoft Windows 10 November 2015 Update; Microsoft
, 256 , 192 , 320 , 2048 ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
AES Val#3629 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
Generation (CNG) Implementations #3652
Version 10.0.10586
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 November 2015 Update; Microsoft
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Length(s): 16 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
AES Val#3629 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” BitLocker®
Cryptographic Implementations #3653
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2, and Surface Pro w/ Windows 10 November 2015
CFB8 ( e/d; 128 , 192 , 256 ); Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” RSA32 Algorithm Implementations
#3630
Version 10.0.10586
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 Surface Hub 84” and Surface Hub 55” SymCrypt
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Cryptographic Implementations #3629
CMAC (Generation/Verification ) (KS: 128; Block
Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Version 10.0.10586
Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial
; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128 ( (e/d) (f) ) KS: XTS_256 ( (e/d) (f) )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Microsoft Windows 10 Anniversary Update, Windows
256 , 192 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#3497 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #3507
Version 10.0.10240
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10, Microsoft Surface Pro 3 with
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Windows 10, Microsoft Surface 3 with Windows 10,
Length(s): 16 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 BitLocker® Cryptographic
AES Val#3497 Implementations #3498
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
256 ); CTR ( int only; 128 , 192 , 256 ) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
10 SymCrypt Cryptographic Implementations #3497
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Version 10.0.10240
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC(Generation/Verification ) (KS: 128; Block
Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag
Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial
; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128 ( (e/d) (f) ) KS: XTS_256 ( (e/d) (f) )
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
10, Microsoft Surface 3 with Windows 10, Microsoft Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2 with Windows 10, Microsoft Surface Pro with Windows
CFB8 ( e/d; 128 , 192 , 256 ); 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
CBC ( e/d; 128 , 192 , 256 ); Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
CFB8 ( e/d; 128 , 192 , 256 ); Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Implementations #2853
Version 6.3.9600
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 8.1, Microsoft Windows Server 2012
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Length(s): 16 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
AES Val#2832 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
BitLocker� Cryptographic Implementations #2848
Version 6.3.9600
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 Windows Storage Server 2012 R2, Microsoft Windows RT
- 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Surface Pro with Windows 8.1, Microsoft Surface 2,
14 16 ) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
CMAC (Generation/Verification ) (KS: 128 ; Block Industry and Microsoft StorSimple 8100 SymCrypt
Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Cryptographic Implementations #2832
Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial
; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 Version 6.3.9600
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128 ( e/d ) Tag Length(s): 128 120 112
104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112
104 96 )
(KS: AES_256 ( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 ,
1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported ;
OtherIVLen_Suppor ted
GMAC_Suppor ted
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range : Windows 8, Windows RT, Windows Server 2012, Surface
0 - 0 , 2^16 ) (Payload Length Range : 0 - 32 ( Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s) : 7 8 9 10 11 12 13 (Tag Length(s) : 4 6 8 10 Cryptography Next Generation (CNG) Implementations #2216
12 14 16 )
AES Val#2197
CMAC (Generation/Verification ) (KS: 128; Block Size(s): ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max:
16 ) (KS: 192 ; Block Size(s): ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256 ; Block
Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min:
16 Max: 16 )
AES Val#2197
GCM(KS: AES_128 ( e/d ) Tag Length(s): 128 120 112
104 96 ) (KS: AES_192 ( e/d ) Tag Length(s): 128 120 112
104 96 )
(KS: AES_256 ( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 ,
1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Suppor ted
GMAC_Suppor ted
CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , Windows 8, Windows RT, Windows Server 2012, Surface
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s) : 12 (Tag Length(s) : 16 ) BitLocker® Cryptographic Implementations #2198
AES Val#2196
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Next Generation Symmetric Cryptographic Algorithms
CFB8 ( e/d; 128 , 192 , 256 ); Implementations (SYMCRYPT) #2197
ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Symmetric Algorithm Implementations (RSA32) #2196
CFB8 ( e/d; 128 , 192 , 256 );
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 Windows Server 2008 R2 and SP1 CNG algorithms #1187
– 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Windows 7 Ultimate and SP1 CNG algorithms #1178
14 16 )
AES Val#1168
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows 7 Ultimate and SP1 and Windows Server 2008 R2
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 and SP1 BitLocker Algorithm Implementations #1177
12 13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168
ECB ( e/d; 128 , 192 , 256 ); Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168
CBC ( e/d; 128 , 192 , 256 );
CFB8 ( e/d; 128 , 192 , 256 );
GCM Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168 , vendor-affirmed
GMAC
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate SP1 and Windows Server 2008
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 BitLocker Algorithm Implementations #760
12 13 (Tag Length(s): 4 6 8 14 16 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 Windows Server 2008 CNG algorithms #757
- 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Windows Vista Ultimate SP1 CNG algorithms #756
14 16 )
CBC ( e/d; 128 , 256 ); Windows Vista Ultimate BitLocker Drive Encryption #715
CCM (KS: 128 , 256 ) (Assoc. Data Len Range : 0 - 8 ) Windows Vista Ultimate BitLocker Drive Encryption #424
(Payload Length Range : 4 - 32 ( Nonce Length(s) : 7
8 12 13 (Tag Length(s) : 4 6 8 14 16 )
ECB ( e/d; 128 , 192 , 256 ); Windows Vista Ultimate SP1 and Windows Server 2008
Symmetric Algorithm Implementation #739
CBC ( e/d; 128 , 192 , 256 );
Windows Vista Symmetric Algorithm Implementation
CFB8 ( e/d; 128 , 192 , 256 ); #553
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #2023
CBC ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #2024
CBC ( e/d; 128 , 192 , 256 );
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #781
Windows 2003 SP2 Enhanced Cryptographic Provider
(RSAENH) #548
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #516
Windows CE and Windows Mobile 6, 6.1, and 6.5
Enhanced Cryptographic Provider (RSAENH) #507
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #290
Windows CE 5.0 and 5.1 Enhanced Cryptographic
Provider (RSAENH) #224
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #80
Windows XP, SP1, and SP2 Enhanced Cryptographic
Provider (RSAENH) #33
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Pro,
BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Home, Pro,
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1555
Version 10.0.15063
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] Provider (RSAENH) #1433
Version 7.00.2872
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] Provider (RSAENH) #1432
Version 8.00.6246
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] Library (bcrypt.dll) #1430
Version 7.00.2872
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] Library (bcrypt.dll) #1429
Version 8.00.6246
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/
Windows 10 Anniversary Update Virtual TPM
Implementations #1222
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 November 2015 Update; Microsoft
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub and Surface Hub SymCrypt Cryptographic
Implementations #955
Version 10.0.10586
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10, Microsoft Surface Pro 3 with
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 SymCrypt Cryptographic
Implementations #868
Version 10.0.10240
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Storage Server 2012 R2, Microsoft Windows RT
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 SymCrypt
Cryptographic Implementations #489
Version 6.3.9600
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows 8, Windows RT, Windows Server 2012, Surface
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #258
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact 7 Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] Library (bcrypt.dll) #193
CTR_DRBG : [ Prediction Resistance Tested: Not Enabled; Windows 7 Ultimate and SP1 and Windows Server 2008 R2
BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] and SP1 RNG Library #23
L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4010, DRBG #1731
FIPS186-2: PRIME; Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-
FIPS186-2: Hellman Cryptographic Provider #17
KEYGEN(Y):
SHS: SHA-1 (BYTE)
SIG(gen):
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Pro,
Val#3790 Enterprise, Education Virtual TPM Implementations #3062
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 10.0.15063
Val#3790
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Home, Pro,
Val#3790 Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #3061
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790 Version 10.0.15063
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3652 Provider (RSAENH) #2946
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val#3652
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3652
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3652
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3651 Provider (RSAENH) #2945
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3651
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3651
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3651
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val# 3649 Library (bcrypt.dll) #2943
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val# 3649
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val# 3649
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 3649
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val#3648 Library (bcrypt.dll) #2942
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3648
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3648
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3648
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 Anniversary Update, Windows
SHS Val# 3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Windows 10 Anniversary Update Virtual TPM
SHS Val# 3347 Implementations #2661
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.14393
SHS Val# 3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# Microsoft Windows 10 Anniversary Update, Windows
3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS w/ Windows 10 Anniversary Update; Microsoft Lumia 950
Val# 3347 and Lumia 650 w/ Windows 10 Mobile Anniversary
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Update SymCrypt Cryptographic Implementations #2651
Val# 3347 Version 10.0.14393
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val# 3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 November 2015 Update; Microsoft
SHS Val# 3047 Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SHS Val# 3047 950 and Microsoft Lumia 635; Windows 10 for Microsoft
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Surface Hub 84” and Surface Hub 55” SymCrypt
SHS Val# 3047 Cryptographic Implementations #2381
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 10.0.10586
SHS Val# 3047
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10, Microsoft Surface Pro 3 with
SHSVal# 2886 Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Surface Pro with Windows 10 SymCrypt Cryptographic
SHSVal# 2886 Implementations #2233
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.10240
SHSVal# 2886
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Storage Server 2012 R2, Microsoft Windows RT
SHS Val#2373 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
SHS Val#2373 Windows Phone 8.1, Microsoft Windows Embedded 8.1
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Industry and Microsoft StorSimple 8100 SymCrypt
SHS Val#2373 Cryptographic Implementations #1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 6.3.9600
SHS Val#2373
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows CE and Windows Mobile, and Windows
Val#2764 Embedded Handheld Enhanced Cryptographic Provider
(RSAENH) #2122
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764 Version 5.2.29344
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764
HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 BitLocker® Cryptographic Implementations #1347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1902 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Enhanced Cryptographic Provider (RSAENH) #1346
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SHS#1903 Next Generation Symmetric Cryptographic Algorithms
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Implementations (SYMCRYPT) #1345
SHS#1903
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1903
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1903
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Cryptographic Primitives
SHSVal#1773 Library (bcrypt.dll) #1364
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1773
Tinker HMAC-SHA384 ( Key Size Ranges Tested:
KSBS ) SHSVal#1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1773
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Enhanced Cryptographic
SHSVal#1774 Provider (RSAENH) #1227
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 R2 and SP1 CNG algorithms #686
SHSVal#1081
Windows 7 and SP1 CNG algorithms #677
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows Server 2008 R2 Enhanced Cryptographic
Provider (RSAENH) #687
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows 7 Enhanced Cryptographic Provider (RSAENH)
#673
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1081
HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081 Windows 7 and SP1 and Windows Server 2008 R2 and SP1
BitLocker Algorithm Implementations #675
HMAC-SHA256 ( Key Size Ranges Tested:
KSVal#1081
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#816 (RSAENH) #452
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753 Windows Vista Ultimate SP1 and Windows Server 2008
BitLocker Algorithm Implementations #415
HMAC-SHA256 ( Key Size Ranges Tested:
KSVal#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #408
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Windows Vista Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #407
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS
) SHS Val#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS Windows Vista Enhanced Cryptographic Provider (RSAENH)
)SHSVal#618 #297
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Kernel Mode Cryptographic
SHSVal#785 Module (fips.sys) #429
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Enhanced Cryptographic
SHSVal#783 Provider (RSAENH) #428
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#613 (RSAENH) #289
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Kernel Mode Cryptographic
SHSVal#610 Module (fips.sys) #287
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 CNG algorithms #413
SHSVal#753
Windows Vista Ultimate SP1 CNG algorithms #412
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737 Windows Vista Ultimate BitLocker Drive Encryption #386
HMAC-SHA256 ( Key Size Ranges Tested:
KSVal#737
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows Vista CNG algorithms #298
SHSVal#618
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile
SHSVal#589 Enhanced Cryptographic Provider (RSAENH) #267
HMAC-SHA256 ( Key Size Ranges Tested: KSBS
)SHSVal#589
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#589
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#589
HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5
SHSVal#578 Enhanced Cryptographic Provider (RSAENH) #260
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495 Windows Vista BitLocker Drive Encryption #199
HMAC-SHA256 ( Key Size Ranges Tested:
KSVal#495
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP1 Enhanced Cryptographic
SHSVal#364 Provider (RSAENH) #99
Windows XP, vendor-affirmed
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows CE 5.00 and Windows CE 5.01 Enhanced
SHSVal#305 Cryptographic Provider (RSAENH) #31
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#305
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Pro,
DPV KPG Full Validation Key Regeneration ) Enterprise, Education Virtual TPM Implementations #128
SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC )
( ED: P-384 SHA384 HMAC ) ] Version 10.0.15063
SHS Val#3790
DSA Val#1135
DRBG Val#1556
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Home, Pro,
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Enterprise, Education, Windows 10 S, Windows 10 Mobile
KARole(s): Initiator / Responder ) SymCrypt Cryptographic Implementations #127
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic Version 10.0.15063
( No_KC < KARole(s): Initiator / Responder> ) ( FB:
SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation ) SCHEMES [
EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#3790
ECDSA Val#1133
DRBG Val#1555
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #115
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 7.00.2872
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC
) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC < KARole(s):
Initiator / Responder> ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #114
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 8.00.6246
[ dhHybridOneFlow ( No_KC < KARole(s): Initiator /
Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256
SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE:
P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#3648
ECDSA Val#1072
DRBG Val#1429
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10 November 2015 Update; Microsoft
DPG DPV KPG Partial Validation ) SCHEMES [ Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
dhEphem ( KARole(s): Initiator / Responder ) Surface Pro 2, and Surface Pro w/ Windows 10 November
( FB: SHA256 ) ( FC: SHA256 ) ] 2015 Update; Windows 10 Mobile for Microsoft Lumia
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: 950 and Microsoft Lumia 635; Windows 10 for Microsoft
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Surface Hub and Surface Hub Cryptography Next
KARole(s): Initiator / Responder > ) ( FB: SHA256 Generation (CNG) Implementations #72
HMAC ) ( FC: SHA256 HMAC ) ]
Version 10.0.10586
SHS Val# 3047 DSA Val#1024 DRBG Val#955
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC < KARole(s):
Initiator / Responder > ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val# 3047 ECDSA Val#760 DRBG Val#955
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10, Microsoft Surface Pro 3 with
DPG DPV KPG Partial Validation ) SCHEMES [ Windows 10, Microsoft Surface 3 with Windows 10,
dhEphem ( KARole(s): Initiator / Responder ) Microsoft Surface Pro 2 with Windows 10, Microsoft
( FB: SHA256 ) ( FC: SHA256 ) ] Surface Pro with Windows 10 Cryptography Next
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Generation (CNG) Implementations #64
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC <
KARole(s): Initiator / Responder > ) ( FB: SHA256 Version 10.0.10240
HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 2886 DSA Val#983 DRBG Val#868
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC < KARole(s):
Initiator / Responder > ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val# 2886 ECDSA Val#706 DRBG Val#868
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Windows Storage Server 2012 R2, Microsoft Windows RT
DPG DPV KPG Partial Validation ) SCHEMES [ 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
dhEphem ( KARole(s): Initiator / Responder ) Surface Pro with Windows 8.1, Microsoft Surface 2,
( FB: SHA256 ) ( FC: SHA256 ) ] Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Windows Phone 8.1, Microsoft Windows Embedded 8.1
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < Industry and Microsoft StorSimple 8100 Cryptography
KARole(s): Initiator / Responder > ) ( FB: SHA256 Next Generation Cryptographic Implementations #47
HMAC ) ( FC: SHA256 HMAC ) ]
Version 6.3.9600
SHS Val#2373 DSA Val#855 DRBG Val#489
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC < KARole(s):
Initiator / Responder > ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator / Responder
> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489
FFC : (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 8, Windows RT, Windows Server 2012, Surface
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows RT, Surface Windows 8 Pro, and Windows Phone 8
KARole(s): Initiator / Responder ) Cryptography Next Generation (CNG) Implementations #36
( FA : SHA256 ) ( FB : SHA256 ) ( FC : SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA :
SHA256 ) ( FB : SHA256 ) ( FC : SHA256 ) ]
[ dhStatic ( No_KC < KARole(s): Initiator /
Responder> ) ( FA : SHA256 HMAC ) ( FB : SHA256
HMAC ) ( FC : SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
ECC : (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES
[ EphemeralUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED : P-384
SHA384 HMAC ) ( EE : P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH( No_KC < KARole(s): Initiator /
Responder> ) ( EC : P-256 SHA256 ) ( ED : P-384
SHA384 ) ( EE : P-521 (SHA512, HMAC_SHA512) ) ) ]
[ StaticUnified ( No_KC < KARole(s): Initiator /
Responder> ) ( EC : P-256 SHA256 HMAC ) ( ED : P-384
SHA384 HMAC ) ( EE : P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows 10 Creators Update (version 1703) Pro,
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Enterprise, Education Virtual TPM Implementations #141
LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
Version 10.0.15063
KAS Val#128
DRBG Val#1556
MAC Val#3062
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Windows 10 Creators Update (version 1703) Home, Pro,
[CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] Enterprise, Education, Windows 10 S, Windows 10 Mobile
[HMACSHA256] [HMACSHA384] [HMACSHA512] ) Cryptography Next Generation (CNG) Implementations
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) #140
KAS Val#127 Version 10.0.15063
AES Val#4624
DRBG Val#1555
MAC Val#3061
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Server 2016, Windows Storage Server 2016; Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Book, Surface Pro 4 and Surface Pro 3 w/
Windows 10 Anniversary Update Virtual TPM
KAS Val#93 DRBG Val#1222 MAC Val#2661 Implementations #102
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[CMACAES128] [CMACAES192] [CMACAES256] Server 2016, Windows Storage Server 2016; Microsoft
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
rlength( [32] ) ) and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 Implementations #101
Version 10.0.14393
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 November 2015 Update; Microsoft
[CMACAES128] [CMACAES192] [CMACAES256] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Pro 2, and Surface Pro w/ Windows 10 November
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
rlength( [32] ) ) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 Generation (CNG) Implementations #72
Version 10.0.10586
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10, Microsoft Surface Pro 3 with
[CMACAES128] [CMACAES192] [CMACAES256] Windows 10, Microsoft Surface 3 with Windows 10,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Microsoft Surface Pro 2 with Windows 10, Microsoft
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) Surface Pro with Windows 10 Cryptography Next
rlength( [32] ) ) Generation (CNG) Implementations #66
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 Version 10.0.10240
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows Storage Server 2012 R2, Microsoft Windows RT
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
DRBG Val#489 MAC Val#1773 Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 Cryptography
Next Generation Cryptographic Implementations #30
Version 6.3.9600
CTR_Mode : ( Llength( Min0 Max4 ) MACSupported( Windows 8, Windows RT, Windows Server 2012, Surface
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Cryptography Next Generation (CNG) Implementations #3
DRBG #258 HMAC Val#1345
FIPS 186-2 General Purpose Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
[ (x-Original); (SHA-1) ] Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2 Windows 7 and SP1 and Windows Server 2008 R2 and
[ (x-Change Notice); (SHA-1) ] SP1 RNG Library #649
FIPS 186-2 General Purpose Windows Vista Ultimate SP1 and Windows Server 2008
[ (x-Change Notice); (SHA-1) ] RNG Implementation #435
Windows Vista RNG implementation #321
FIPS 186-2 General Purpose Windows Server 2003 SP2 Enhanced Cryptographic
[ (x-Change Notice); (SHA-1) ] Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #447
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #316
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #313
RSA
SHA Val#2373
FIPS186-4: Windows 8, Windows RT, Windows Server 2012, Surface
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Windows RT, Surface Windows 8 Pro, and Windows Phone 8
384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 )) Cryptography Next Generation (CNG) Implementations #1134
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA(
1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-
256 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 ))
(3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
RSA List Val#1134.
FIPS186-2: Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 Generation Implementation #559
PubKey Values: 65537 DRBG: Val# 23
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#559.
FIPS186-2: Windows Vista SP1 and Windows Server 2008 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 Generation Implementation #353
PubKey Values: 65537
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#353.
FIPS186-2: Windows Vista RSA key generation implementation #258
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096
PubKey Values: 65537 RNG: Val# 321
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#258.
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240
SHA-1 (BYTE-only) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
SHA-256 (BYTE-only) Microsoft Windows Storage Server 2012 R2, Microsoft
SHA-384 (BYTE-only) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA-512 (BYTE-only) Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600
SHA-1 (BYTE-only) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1,
SHA-256 (BYTE-only) Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro
SHA-384 (BYTE-only) with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro
SHA-512 (BYTE-only) 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1,
Microsoft Windows Embedded 8.1 Industry and Microsoft
StorSimple 8100 SymCrypt Cryptographic Implementations
#2373
Version 6.3.9600
SHA-1 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
SHA-256 (BYTE-only) 8 Next Generation Symmetric Cryptographic Algorithms
SHA-384 (BYTE-only) Implementations (SYMCRYPT) #1903
SHA-512 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
Implementation does not support zero-length (null) 8 Symmetric Algorithm Implementations (RSA32) #1902
messages.
SHA-1 (BYTE-only) Windows 7 and SP1 and Windows Server 2008 R2 and
SHA-256 (BYTE-only) SP1 Symmetric Algorithm Implementation #1081
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #816
SHA-1 (BYTE-only) Windows Vista SP1 and Windows Server 2008 Symmetric
SHA-256 (BYTE-only) Algorithm Implementation #753
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Vista Symmetric Algorithm Implementation
#618
Triple DES
TECB ( KO 1 e/d, ) ; TCBC ( KO 1 e/d, ) ; TCFB8 ( KO 1 e/d, ) ; Windows 10 Creators Update (version 1703) Home, Pro,
TCFB64 ( KO 1 e/d, ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #2459
Version 10.0.15063
Version 10.0.14393
Version 10.0.10586
TECB ( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC ( e/d; KO 1,2 ) ; Next Generation Symmetric Cryptographic Algorithms
TCFB8 ( e/d; KO 1,2 ) ; Implementations (SYMCRYPT) #1387
TECB ( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC ( e/d; KO 1,2 ) ; Symmetric Algorithm Implementations (RSA32) #1386
TCFB8 ( e/d; KO 1,2 )
TECB ( e/d; KO 1,2 ) ; Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #846
TCBC ( e/d; KO 1,2 ) ;
TCFB8 ( e/d; KO 1,2 )
TECB ( e/d; KO 1,2 ) ; Windows Vista SP1 and Windows Server 2008 Symmetric
Algorithm Implementation #656
TCBC ( e/d; KO 1,2 ) ;
TCFB8 ( e/d; KO 1,2 )
Triple DES MAC Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and
SP1 #846, vendor-affirmed
TECB ( e/d; KO 1,2 ) ; Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #1308
TCBC ( e/d; KO 1,2 )
Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #691
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #677
Windows XP Professional SP3 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #676
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #675
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #544
Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #543
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #542
Windows CE 6.0 and Window CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #526
Windows CE and Windows Mobile 6 and Windows Mobile
6.1 and Windows Mobile 6.5 Enhanced Cryptographic
Provider (RSAENH) #517
Windows Server 2003 SP1 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #381
Windows Server 2003 SP1 Kernel Mode Cryptographic
Module (fips.sys) #370
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #365
Windows CE 5.00 and Windows CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #315
Windows Server 2003 Kernel Mode Cryptographic
Module (fips.sys) #201
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #199
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #192
Windows XP Microsoft Enhanced Cryptographic Provider
#81
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #18
Crypto Driver for Windows 2000 (fips.sys) #16
References
[FIPS 140] - FIPS 140-2, Security Requirements for Cryptographic Modules
[FIPS FAQ] - Cryptographic Module Validation Program (CMVP) FAQ
[SP 800-57] - Recommendation for Key Management – Part 1: General (Revised)
[SP 800-131A] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
Common Criteria Certifications
12/11/2019 • 5 minutes to read • Edit Online
Microsoft is committed to optimizing the security of its products and services. As part of that commitment,
Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the
features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria
certifications of Microsoft Windows products.
Applies to
Windows 10, version 1703 and later
This library describes the Windows Security app, and provides information on configuring certain features,
including:
Showing and customizing contact information on the app and in notifications
Hiding notifications
In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
In Windows 10, version 1803, the app has two new areas, Account protection and Device security .
NOTE
The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender
Security Center web portal console that is used to review and manage Microsoft Defender Advanced Threat Protection.
You can't uninstall the Windows Security app, but you can do one of the following:
Disable the interface on Windows Server 2016. See Windows Defender Antivirus on Windows Server 2016.
Hide all of the sections on client computers (see below).
Disable Windows Defender Antivirus, if needed. See Enable and configure Windows Defender AV always-on
protection and monitoring.
You can find more information about each section, including options for configuring the sections - such as hiding
each of the sections - at the following topics:
Virus & threat protection, which has information and access to antivirus ransomware protection settings and
notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
Account protection, which has information and access to sign-in and account protection settings.
Firewall & network protection, which has information and access to firewall settings, including Windows
Defender Firewall.
App & browser control, covering Windows Defender SmartScreen settings and Exploit protection mitigations.
Device security, which provides access to built-in device security settings.
Device performance & health, which has information about drivers, storage space, and general Windows Update
issues.
Family options, which includes access to parental controls along with tips and information for keeping kids safe
online.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
How the Windows Security app works with Windows security features
IMPORTANT
Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Servce),
which in turn utilizes the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about
the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender
Firewall, third-party firewalls, and other security protection.
These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable
Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party
antivirus product.
Windows Defender AV will be disabled automatically when a third-party antivirus product is installed and kept up to date.
Disabling the Windows Security Center service will not disable Windows Defender AV or Windows Defender Firewall.
WARNING
If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or
running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you
have installed on the device.
It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you
uninstall any third-party antivirus products you may have previously installed.
This will significantly lower the protection of your device and could lead to malware infection.
The Windows Security app operates as a separate app or process from each of the individual features, and will
display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft
Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security app.
The Windows Security app itself will still run and show status for the other security features.
IMPORTANT
Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, using a third-party antivirus will disable Windows Defender Antivirus. However, the Windows Security
app will still run, show its icon in the taskbar, and display information about the other features, such as Windows
Defender SmartScreen and Windows Defender Firewall.
Customize the Windows Security app for your
organization
8/27/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1709 and later
Audience
Enterprise security administrators
Manageability available with
Group Policy
You can add information about your organization in a contact card to the Windows Security app. This can include a
link to a support site, a phone number for a help desk, and an email address for email-based support.
This information will also be shown in some enterprise-specific notifications (including those for the Block at first
sight feature, and potentially unwanted applications.
Users can click on the displayed information to initiate a support request:
Clicking Call or the phone number will open Skype to start a call to the displayed number
Clicking Email or the email address will create a new email in the machine's default email app address to the
displayed email
Clicking Help por tal or the website URL will open the machine's default web browser and go to the displayed
address
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows
do not include these Group Policy settings.
IMPORTANT
You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you
do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and
notifications will not be customized.
Hide Windows Security app notifications
1/29/2020 • 7 minutes to read • Edit Online
Applies to
Windows 10, version 1809 and above
Audience
Enterprise security administrators
Manageability available with
Group Policy
The Windows Security app is used by a number of Windows security features to provide notifications about the
health and security of the machine. These include notifications about firewalls, antivirus products, Windows
Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status
updates, or if you want to hide all notifications to the employees in your organization.
There are two levels to hiding notifications:
1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus
ran in the past week
2. Hide all notifications
If you set Hide all notifications to Enabled , changing the Hide non-critical notifications setting will have no
effect.
You can only use Group Policy to change these settings.
IMPORTANT
Requirements
You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include
these Group Policy settings.
1. Download the latest Administrative Templates (.admx) for Windows 10, v1809.
2. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
3. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
4. Expand the tree to Windows components > Windows Security > Notifications . For Windows 10
version 1803 and below the path would be Windows components > Windows Defender Security
Center > Notifications
5. Open the Hide non-critical notifications setting and set it to Enabled . Click OK .
6. Deploy the updated GPO as you normally do.
IMPORTANT
Requirements
You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include
these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Notifications . For Windows 10
version 1803 and below the path would be Windows components > Windows Defender Security
Center > Notifications
4. Open the Hide all notifications setting and set it to Enabled . Click OK .
5. Use the following registry key and DWORD value to Hide all notifications .
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security
Center\Notifications] "DisableNotifications"=dword:00000001
6. Use the following registry key and DWORD value to Hide not-critical notifications
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security
Center\Notifications] "DisableEnhancedNotifications"=dword:00000001
7. Deploy the updated GPO as you normally do.
Notifications
P URP O SE N OT IF IC AT IO N T EXT TO A ST IDEN T IF IER C RIT IC A L?
OS support ended, device at Support for your version of SUPPORT_ENDED and Yes
risk Windows has ended. SUPPORT_ENDED_NO_DEFE
Windows Defender Antivirus NDER
is no longer supported, and
your device might be at risk.
Applies to
Windows 10 in S mode, version 1803
Audience
Enterprise security administrators
Manageability available with
Microsoft Intune
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode,
users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize
malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra
protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The Virus & threat protection area
has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from
running on devices in your organization. In addition, devices running Windows 10 in S mode receive security
updates automatically.
For more information about Windows 10 in S mode, including how to switch out of S mode, see Windows 10
Pro/Enterprise in S mode.
Applies to
Windows 10, version 1703 and later
The Virus & threat protection section contains information and settings for antivirus protection from Windows
Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and
recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected
folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also
notifies users and provides recovery instructions in the event of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the following:
Windows Defender Antivirus in the Windows Security app
Windows Defender Antivirus documentation library
Protect important folders with Controlled folder access
Defend yourself from cybercrime with new Office 365 capabilities
Office 365 advanced protection
Ransomware detection and recovering your files
You can choose to hide the Virus & threat protection section or the Ransomware protection area from users
of the machine. This can be useful if you don't want employees in your organization to see or have access to user-
configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Virus and threat protection .
4. Open the Hide the Virus and threat protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Virus and threat protection .
4. Open the Hide the Ransomware data recover y area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
Account protection
12/4/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1803 and later
The Account protection section contains information and settings for account protection and sign in. IT
administrators and IT pros can get more information and documentation about configuration from the following:
Microsoft Account
Windows Hello for Business
Lock your Windows 10 PC automatically when you step away from it
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Account protection .
4. Open the Hide the Account protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Firewall and network protection
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The Firewall & network protection section contains information about the firewalls and network connections
used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT
administrators and IT pros can get configuration guidance from the Windows Defender Firewall with Advanced
Security documentation library.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Firewall and network protection .
4. Open the Hide the Firewall and network protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
App and browser control
8/27/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The App and browser control section contains information and settings for Windows Defender SmartScreen. IT
administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen
documentation library.
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You
can prevent users from modifying these specific options with Group Policy. IT administrators can get more
information at Exploit protection.
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > App and browser protection .
4. Open the Prevent users from modifying settings setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > App and browser protection .
4. Open the Hide the App and browser protection area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Device security
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1803 and later
The Device security section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in
your organization to see or have access to user-configured options for the features shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Device security .
4. Open the Hide the Device security area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Disable the Clear TPM button
If you don't want users to be able to click the Clear TPM button in the Windows Security app, you can disable it.
IMPORTANT
Requirements
You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Device security .
4. Open the Disable the Clear TPM button setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
Applies to
Windows 10, version 1703 and later
The Device performance & health section contains information about hardware, devices, and drivers related to
the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues
they are seeing, such as the configure the Load and unload device drivers security policy setting and how to deploy
drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager.
The Windows 10 IT pro troubleshooting topic, and the main Windows 10 documentation library can also be helpful
for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Device performance and health .
4. Open the Hide the Device performance and health area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Family options
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10, version 1703 and later
The Family options section contains links to settings and further information for parents of a Windows 10 PC. It is
not generally intended for enterprise or business environments.
Home users can learn more at the Help protection your family online in Windows Security topic at
support.microsoft.com
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't
want employees in your organization to see or have access to this section.
IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit .
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates .
3. Expand the tree to Windows components > Windows Security > Family options .
4. Open the Hide the Family options area setting and set it to Enabled . Click OK .
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Windows Defender SmartScreen
4/8/2020 • 3 minutes to read • Edit Online
Applies to:
Windows 10
Windows 10 Mobile
Microsoft Edge
Windows Defender SmartScreen protects against phishing or malware websites and applications, and the
downloading of potentially malicious files.
Windows Defender Smar tScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender
SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it
finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be
malicious.
Windows Defender Smar tScreen determines whether a downloaded app or app installer is
potentially malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be
unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the
site might be malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows
users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.
IMPORTANT
SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations
or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
NOTE
For information on how to use the Event Viewer, see Windows Event Viewer.
Related topics
Threat protection
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
Available Windows Defender SmartScreen Group
Policy and mobile device management (MDM)
settings
4/8/2020 • 6 minutes to read • Edit Online
Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings
to help you manage your organization's computer settings. Based on how you set up Windows Defender
SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site
entirely.
See Windows 10 (and later) settings to protect devices using Intune for the controls you can use in Intune.
Windows 10, version 1703: At least Windows Server 2012, This policy setting turns on Windows
Administrative Templates\Windows Windows 8 or Windows RT Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Explorer\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off. Additionally, when
earlier : enabling this feature, you must also
Administrative Templates\Windows pick whether Windows Defender
Components\File SmartScreen should Warn your
Explorer\Configure Windows employees or Warn and prevent
SmartScreen bypassing the message (effectively
blocking the employee from the
site).
If you disable this setting, it turns
off Windows Defender SmartScreen
and your employees are unable to
turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Administrative Templates\Windows Windows 10, version 1703 This policy setting is intended to
Components\Windows Defender prevent malicious content from
SmartScreen\Explorer\Configure App affecting your user's devices when
Install Control downloading executable content from
the internet.
This setting does not protect against
malicious content from USB devices,
network shares or other non-internet
sources.
Impor tant: Using a trustworthy
browser helps ensure that these
protections work as expected.
Windows 10, version 1703: Microsoft Edge on Windows 10 or later This policy setting turns on Windows
Administrative Templates\Windows Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Microsoft Edge\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off.
earlier :
Administrative Templates\Windows If you disable this setting, it turns
Components\Microsoft off Windows Defender SmartScreen
Edge\Configure Windows and your employees are unable to
SmartScreen turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious files.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for files employees from bypassing the
Windows 10, Version 1511 and warning, stopping the file
1607: download.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for files the warnings and continue to
download potentially malicious files.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious sites.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for sites employees from bypassing the
Windows 10, Version 1511 and warning, stopping them from going
1607: to the site.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for sites the warnings and continue to visit a
potentially malicious site.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting prevents the
Components\Internet Explorer\Prevent employee from managing Windows
managing SmartScreen Filter Defender SmartScreen.
If you enable this policy setting, the
employee isn't prompted to turn on
Windows Defender SmartScreen. All
website addresses that are not on
the filter's allow list are sent
automatically to Microsoft without
prompting the employee.
If you disable or don't configure this
policy setting, the employee is
prompted to decide whether to
turn on Windows Defender
SmartScreen during the first-run
experience.
Administrative Templates\Windows Internet Explorer 8 or later This policy setting determines whether
Components\Internet Explorer\Prevent an employee can bypass warnings from
bypassing SmartScreen Filter warnings Windows Defender SmartScreen.
If you enable this policy setting,
Windows Defender SmartScreen
warnings block the employee.
If you disable or don't configure this
policy setting, the employee can
bypass Windows Defender
SmartScreen warnings.
Administrative Templates\Windows Internet Explorer 9 or later This policy setting determines whether
Components\Internet Explorer\Prevent the employee can bypass warnings from
bypassing SmartScreen Filter warnings Windows Defender SmartScreen.
about files that are not commonly Windows Defender SmartScreen warns
downloaded from the Internet the employee about executable files
that Internet Explorer users do not
commonly download from the Internet.
If you enable this policy setting,
Windows Defender SmartScreen
warnings block the employee.
If you disable or don't configure this
policy setting, the employee can
bypass Windows Defender
SmartScreen warnings.
MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings
support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft
Intune) and Windows 10 Mobile devices.
For Windows Defender SmartScreen Internet Explorer MDM policies, see Policy CSP - InternetExplorer.
PreventSmartScreenPromptOverride Windows 10, Version 1511 and later URI full path.
./Vendor/MSFT/Policy/Config/Bro
wser/PreventSmartscreenPrompt
Override
Data type. Integer
Allowed values:
0 . Employees can ignore
Windows Defender
SmartScreen warnings.
1. Employees can't
ignore Windows
Defender SmartScreen
warnings.
PreventSmartScreenPromptOverrideFor Windows 10, Version 1511 and later URI full path.
Files ./Vendor/MSFT/Policy/Config/Bro
wser/PreventSmartScreenPromp
tOverrideForFiles
Data type. Integer
Allowed values:
0 . Employees can ignore
Windows Defender
SmartScreen warnings
for files.
1. Employees can't
ignore Windows
Defender SmartScreen
warnings for files.
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ignoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to a potentially malicious website.
prompts for sites
Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ignoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to download potentially malicious files.
prompts for files
Administrative Templates\Windows Components\File Enable with the Warn and prevent bypass option.
Explorer\Configure Windows Defender SmartScreen Stops employees from ignoring warning messages about
malicious files downloaded from the Internet.
Related topics
Threat protection
Windows Defender SmartScreen overview
Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Set up and use Windows Defender SmartScreen on
individual devices
4/8/2020 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1703
Windows 10 Mobile
Microsoft Edge
Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or
malware websites, or if a user tries to download potentially malicious files.
NOTE
If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears
as unavailable to the employee.
Related topics
Threat protection
Windows Defender SmartScreen overview
NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
Windows Sandbox
3/27/2020 • 2 minutes to read • Edit Online
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software
installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host
machine.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new
instance of the sandbox every time you open the application.
Software and applications installed on the host aren't directly available in the sandbox. If you need specific
applications available inside the Windows Sandbox environment, they must be explicitly installed within the
environment.
Windows Sandbox has the following properties:
Par t of Windows : Everything required for this feature is included in Windows 10 Pro and Enterprise. There's
no need to download a VHD.
Pristine : Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable : Nothing persists on the device. Everything is discarded when the user closes the application.
Secure : Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a
separate kernel that isolates Windows Sandbox from the host.
Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
The following video provides an overview of Windows Sandbox.
Prerequisites
Windows 10 Pro or Enterprise build 18305 or later (Windows Sandbox is currently not supported on Home
SKUs)
AMD64 architecture
Virtualization capabilities enabled in BIOS
At least 4 GB of RAM (8 GB recommended)
At least 1 GB of free disk space (SSD recommended)
At least two CPU cores (four cores with hyperthreading recommended)
Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
2. Enable virtualization on the machine.
If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
Set -VMProcessor -VMName <VMName> -ExposeVir tualizationExtensions $true
3. Use the search bar on the task bar and type Turn Windows Features on and off to access the Windows
Optional Features tool. Select Windows Sandbox and then OK . Restart the computer if you're prompted.
If the Windows Sandbox option is unavailable, your computer doesn't meet the requirements to run
Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
4. Locate and select Windows Sandbox on the Start menu to run it for the first time.
Usage
1. Copy an executable file (and any other files needed to run the application) from the host into the Windows
Sandbox window.
2. Run the executable file or installer inside the sandbox.
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be
discarded and permanently deleted. Select ok .
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
Windows Sandbox architecture
3/27/2020 • 2 minutes to read • Edit Online
Windows Sandbox benefits from new container technology in Windows to achieve a combination of security,
density, and performance that isn't available in traditional VMs.
Memory management
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs
have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the
host to dynamically determine how host resources are allocated. This is similar to how processes normally compete
for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like
it would with a process.
Memory sharing
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the
same physical memory pages as the host for operating system binaries via a technology referred to as "direct
map." For example, when ntdll.dll is loaded into memory in the sandbox, it uses the same physical pages as those of
the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller
memory footprint when compared to traditional VMs, without compromising valuable host secrets.
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like
host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox.
This means that the most important work will be prioritized, whether it's on the host or in the container.
Battery pass-through
Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This
functionality is critical for technology that is used on laptops, where battery life is often critical.
Windows Sandbox configuration
3/27/2020 • 6 minutes to read • Edit Online
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters
for Sandbox. This feature can be used with Windows 10 build 18342 or later.
Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file
extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the
command line as shown here:
C:\Temp> MyConfigFile.wsb
A configuration file enables the user to control the following aspects of Windows Sandbox:
vGPU (vir tualized GPU) : Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use
Windows Advanced Rasterization Platform (WARP).
Networking : Enable or disable network access within the sandbox.
Mapped folders : Share folders from the host with read or write permissions. Note that exposing host
directories may allow malicious software to affect the system or steal data.
Logon command : A command that's executed when Windows Sandbox starts.
Audio input : Shares the host's microphone input into the sandbox.
Video input : Shares the host's webcam input into the sandbox.
Protected client : Places increased security settings on the RDP session to the sandbox.
Printer redirection : Shares printers from the host into the sandbox.
Clipboard redirection : Shares the host clipboard with the sandbox so that text and files can be pasted back
and forth.
Memor y in MB : The amount of memory, in megabytes, to assign to the sandbox.
Keywords, values, and limits
vGPU : Enables or disables GPU sharing.
<vGPU>value</vGPU>
Supported values:
Enable: Enables vGPU support in the sandbox.
Disable: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering,
which may be slower than virtualized GPU.
Default This is the default value for vGPU support. Currently this means vGPU is disabled.
NOTE
Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
Networking : Enables or disables networking in the sandbox. You can disable network access to decrease the attack
surface exposed by the sandbox.
<Networking>value</Networking>
Supported values:
Disable: Disables networking in the sandbox.
Default: This is the default value for networking support. This value enables networking by creating a virtual
switch on the host and connects the sandbox to it via a virtual NIC.
NOTE
Enabling networking can expose untrusted applications to the internal network.
Mapped folders : An array of folders, each representing a location on the host machine that will be shared into the
sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be
mapped to the container user's desktop.
<MappedFolders>
<MappedFolder>
<HostFolder>absolute path to the host folder</HostFolder>
<SandboxFolder>absolute path to the sandbox folder</SandboxFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
<MappedFolder>
...
</MappedFolder>
</MappedFolders>
HostFolder: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already
exist on the host, or the container will fail to start.
SandboxFolder: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be
created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
ReadOnly: If true, enforces read-only access to the shared folder from within the container. Supported values:
true/false. Defaults to false.
NOTE
Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
Logon command : Specifies a single command that will be invoked automatically after the sandbox logs on. Apps
in the sandbox are run under the container user account.
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
Command: A path to an executable or script inside the container that will be executed after login.
NOTE
Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving
multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and
then executed via the LogonCommand directive.
NOTE
There may be security implications of exposing host audio input to the container.
Supported values:
Enable: Enables video input in the sandbox.
Disable: Disables video input in the sandbox. Applications that use video input may not function properly in the
sandbox.
Default: This is the default value for video input support. Currently this means video input is disabled.
Applications that use video input may not function properly in the sandbox.
NOTE
There may be security implications of exposing host video input to the container.
Protected client : Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack
surface.
<ProtectedClient>value</ProtectedClient>
Supported values:
Enable: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security
mitigations enabled.
Disable: Runs the sandbox in standard mode without extra security mitigations.
Default: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in
Protected Client mode.
NOTE
This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
Printer redirection : Enables or disables printer sharing from the host into the sandbox.
<PrinterRedirection>value</PrinterRedirection>
Supported values:
Enable: Enables sharing of host printers into the sandbox.
Disable: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the
host.
Default: This is the default value for printer redirection support. Currently this means printer redirection is
disabled.
Clipboard redirection : Enables or disables sharing of the host clipboard with the sandbox.
<ClipboardRedirection>value</ClipboardRedirection>
Supported values:
Disable: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox
will be restricted.
Default: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox
are permitted under Default.
Memor y in MB : Specifies the amount of memory that the sandbox can use in megabytes (MB).
<MemoryInMB>value</MemoryInMB>
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required
minimum amount.
Example 1
The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking
and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For
convenience, the logon command opens the downloads folder inside the sandbox when it's started.
Downloads.wsb
<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
</LogonCommand>
</Configuration>
Example 2
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated
LogonCommand setup.
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install
and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the
developer wants to modify using Visual Studio Code.
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
VSCodeInstall.cmd
REM Download Visual Studio Code
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output
C:\users\WDAGUtilityAccount\Desktop\vscode.exe
VSCode.wsb
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\SandboxScripts</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>C:\CodingProjects</HostFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
</LogonCommand>
</Configuration>
Windows Defender Application Control and
virtualization-based protection of code integrity
12/3/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in
user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.
Related articles
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender
Driver compatibility with Windows Defender in Windows 10
Code integrity
Control the health of Windows 10-based devices
1/30/2020 • 61 minutes to read • Edit Online
Applies to
Windows 10
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and
reporting the health of Windows 10-based devices.
Introduction
In Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-
related resources and their personal data. Users want to use the device of their choice to access the organization’s
applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is
also known as the consumerization of IT.
Users want to have the best productivity experience when accessing corporate applications and working on
organization data from their devices. That means they will not tolerate being prompted to enter their work
credentials each time they access an application or a file server. From a security perspective, it also means that
users will manipulate corporate credentials and corporate data on unmanaged devices.
With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing
corporate services, internal resources, and cloud apps.
Even managed devices can be compromised and become harmful. Organizations need to detect when security has
been breached and react as early as possible in order to protect high-value assets.
As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and
also on detection and response capabilities.
Windows 10 is an important component of an end-to-end security solution that focuses not only on the
implementation of security preventive defenses, but adds device health attestation capabilities to the overall
security strategy.
A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn
behavior like the network location the user regularly connects from. Also, a modern approach must be able to
release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the user
through a connection to an identity provider in the cloud. If the managed asset contains highly confidential
information, the conditional access engine of the identity provider may elect to verify the security compliance of the
mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any
time or when mobile device management (MDM) requests it.
Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies
such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification.
The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware,
which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven
BIOS systems.
A device health attestation module can communicate measured boot data that is protected by a Trusted Platform
Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a
trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication
channel.
Remote health attestation service performs a series of checks on the measurements. It validates security related
data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage
security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health
encrypted blob back to the device.
An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the
security baseline and knows the level of compliance of the device with regular checks to see what software is
installed and what configuration is enforced, as well as determining the health status of the device.
An MDM solution asks the device to send device health information and forward the health encrypted blob to the
remote health attestation service. The remote health attestation service verifies device health data, checks that
MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization,
can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the
identity provider so the organization’s access control policy can be invoked to grant access.
Access to content is then authorized to the appropriate level of trust for whatever the health status and other
conditional elements indicate.
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined
with user identity information when processing an access request. Access to content is then authorized to the
appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as
needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional
security authentication may need to be established by querying the user to answer a phone call before access is
granted.
Microsoft’s security investments in Windows 10
In Windows 10, there are three pillars of investments:
Secure identities. Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of
secure authentication by moving away from the use of passwords for authentication, both on the local system
as well as for services like on-premises resources and cloud resources.
Information protection. Microsoft is making investments to allow organizations to have better control over
who has access to important data and what they can do with that data. With Windows 10, organizations can
take advantage of policies that specify which applications are considered to be corporate applications and can
be trusted to access secure data.
Threat resistance. Microsoft is helping organizations to better secure enterprise assets against the threats of
malware and attacks by using security defenses relying on hardware.
Protect, control, and report on the security status of Windows 10-based devices
This section is an overview that describes different parts of the end-to-end security solution that helps protect
high-value assets and information from attackers and malware.
N UM B ER PA RT O F T H E SO L UT IO N DESC RIP T IO N
The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a
robust end-to-end-solution that provides validation of health and compliance of devices that access high-value
assets.
Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from
loading during the startup process:
Trusted Platform Module. A Trusted Platform Module (TPM) is a hardware component that provides
unique security features.
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based
on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health
attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At
the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible
with each other:
The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized
under ISO / IEC 11889 standard.
The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by
the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys
for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see
TPM requirements in Windows 10.
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent
and modern security features, Windows 10 supports only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
Update crypto strength to meet modern security needs
Support for SHA-256 for PCRs
Support for HMAC command
Cryptographic algorithms flexibility to support government needs
TPM 1.2 is severely restricted in terms of what algorithms it can support
TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
Consistency across implementations
The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
TPM 2.0 standardizes much of this behavior
Secure Boot. Devices with UEFI firmware can be configured to load only trusted operating system
bootloaders. Secure Boot does not require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture.
On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an
alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can
boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally,
the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows
UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all
computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot
files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store,
Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot
into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot
prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows
platform. Secure Boot protects the operating system boot process whether booting from local hard disk,
USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). Secure Boot protects the
boot environment of a Windows 10 installation by verifying the signatures of the critical boot components
to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows
kernel file (ntoskrnl.exe) has been loaded.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM
take over.
Secure Boot configuration policy. Extends Secure Boot functionality to critical Windows 10
configuration.
Examples of protected configuration information include protecting Disable Execute bit (NX option) or
ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and
configuration of the computer can be trusted after the boot process has completed. Secure Boot
configuration policy does this with UEFI policy. These signatures for these policies are signed in the same
way that operating system binaries are signed for use with Secure Boot.
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public
keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the
KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall
be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a
signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10
kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers,
startup files, and the ELAM component. This step is important and protects the rest of the boot process by
verifying that all Windows boot components have integrity and can be trusted.
Early Launch Antimalware (EL AM). ELAM tests all drivers before they load and prevents unapproved
drivers from loading.
Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit
that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a
previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus,
the antimalware component is the first third-party component to run and control the initialization of other
boot drivers until the Windows operating system is operational. When the system is started with a complete
runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and
applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the
operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a
simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not
trusted, Windows won’t load it.
Note: Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM;
it can be replaced with a third-party antimalware compatible solution. The name of the Windows
Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll
back any malicious changes made to the Windows Defender driver at the next reboot. This prevents
kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before
shutdown or reboot.
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the
antimalware software to detect and block any attempts to tamper with the boot process by trying to load
unsigned or untrusted code.
The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on
drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also
measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be
signed by Microsoft and the associated certificate must contain the complementary EKU
(1.3.6.1.4.1.311.61.4.1).
Vir tualization-based security (Hyper-V + Secure Kernel). Virtualization-based security is a
completely new enforced security boundary that allows you to protect critical parts of Windows 10.
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate
domain credentials from the rest of the Windows operating system. For more information, refer to the
Virtualization-based security section.
Hyper visor-protected Code Integrity (HVCI). Hypervisor-protected Code Integrity is a feature of Device
Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity
policy are allowed to run.
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services.
HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware
solutions, by preventing malware from running early in the boot process, or after startup.
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become
executable is through a Code Integrity verification. This means that kernel memory pages can never be
Writable and Executable (W+X) and executable code cannot be directly modified.
Note: Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must
have compatible drivers. For additional information, please read the Driver compatibility with Device
Guard in Windows 10 blog post.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the
Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the
Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to
modify or remove the current Code Integrity policy.
Credential Guard. Credential Guard protects corporate credentials with hardware-based credential
isolation.
In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by
malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally
prevents the current forms of the pass-the-hash (PtH) attack.
This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a
protected container where trusted code and secrets are isolated from the Windows kernel. That means that
even if the Windows kernel is compromised an attacker has no way to read and extract the data required to
initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no
longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the
memory.
Health attestation. The device’s firmware logs the boot process, and Windows 10 can send it to a trusted
server that can check and assess the device’s health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware
components are made as they load during the boot process. Additionally, they are taken and measured
sequentially, not all at once. When these measurements are complete, their values are digitally signed and
stored securely in the TPM and cannot be changed unless the system is reset.
For more information, see Secured Boot and Measured Boot: Hardening Early Boot Components Against
Malware.
During each subsequent boot, the same components are measured, which allows comparison of the
measurements against an expected baseline. For additional security, the values measured by the TPM can be
signed and transmitted to a remote server, which can then perform the comparison. This process, called
remote device health attestation, allows the server to verify health status of the Windows device.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot
protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM
vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a
measurement does not work. But with conditional access control, health attestation will help to prevent
access to high-value assets.
Virtualization-based security
Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor
technology to enhance platform security. Virtualization-based security provides a secure execution environment to
run specific Windows trusted code (trustlet) and to protect sensitive data.
Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator
privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
The following Windows 10 services are protected with virtualization-based security:
Credential Guard (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft
that happens by reading and dumping the content of lsass memory
Device Guard (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows
10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures
defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity
service runs alongside the kernel in a Windows hypervisor-protected container.
Other isolated ser vices : for example, on Windows Server 2016, there is the vTPM feature that allows you to
have encrypted virtual machines (VMs) on servers.
Note: Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security
requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization
Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but
recommended.
Credential Guard
In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs
sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user
mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many
PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
The per-boot key is used for any in-memory credentials that do not require persistence. An example of such a
credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution
Center (KDC) every time authentication occurs and is protected with a per-boot key.
The persistent key , or some derivative, is used to help protect items that are stored and reloaded after a
reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to
protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access
is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then
spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of
LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode
support routines are ready before any authentication begins.
Device Guard
Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help
protect it from running untrusted software. In this configuration, the only applications allowed to run are those that
are trusted by the organization.
The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based
security, a Hyper-V protected container that runs alongside regular Windows.
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into
memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or
whether a system file has been modified by malicious software that is being run by a user account with
Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
Note: Independently of activation of Device Guard Policy, Windows 10 by default raises the bar for what runs in
the kernel. Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows
Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver
submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation
(“EV”) Code Signing Certificate.
With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on
x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines
what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts.
The system is then locked down to only run applications that the organization trusts.
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and
applications. Device Guard can be configured using two rule actions - allow and deny:
Allow limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
Deny completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is
unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast
majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or
disabled. Device Guard is a combination of hardware security features and software security features that, when
configured together, can lock down a computer to help ensure the most secure and resistant system possible.
There are three different parts that make up the Device Guard solution in Windows 10:
The first part is a base set of hardware security features introduced with the previous version of Windows.
TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows
you to control what the device is running when the systems start.
After the hardware security feature, there is the code integrity engine. In Windows 10, Code Integrity is now
fully configurable and now resides in Isolated user mode, a part of the memory that is protected by
virtualization-based security.
The last part of Device Guard is manageability . Code Integrity configuration is exposed through specific Group
Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
For more information on how to deploy Device Guard in an enterprise, see the Device Guard deployment guide.
Device Guard scenarios
As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be
used broadly and it may not always be applicable, but there are some high-interest scenarios.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin
Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very well-
defined software that are expected to run and don’t change too frequently. It could also help protect Information
Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications is not going
to change on a daily basis.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing
attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver
bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth
approach to security.
To protect high-value assets, SAWs are used to make secure connections to those assets.
Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like
Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is
very applicable. In that type of scenario, the organization has a good idea of the software that an average user is
running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically
allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run
Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the
event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in
Audit mode, organizations can get rich data about drivers and applications that users install and run.
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by
using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group
Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both
the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code
Integrity policy restricts what code can run on a device.
Note: Device Guard policy can be signed in Windows 10, which adds additional protection against
administrative users changing or removing this policy.
Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat
Device Guard.
When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering
protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy
signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner
section.
The importance of signing applications
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run
without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization
through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the
public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps.
All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a
tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best
practice, a lot of internal applications are not signed.
Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them
through a process to create additional signatures that can be distributed along with existing applications.
Why are antimalware and device management solutions still necessary?
Although allow-list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they
cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a
known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting
vulnerabilities.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or
confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by
causing it to run malicious code without the user’s knowledge.
It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in
user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document
editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the
operating system and kernel mode drivers that host them.
To combat these threats, patching is the single most effective control, with antimalware software forming
complementary layers of defense.
Most application software has no facility for updating itself, so even if the software vendor publishes an update that
fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains
vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the
management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows
10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
Device health attestation
Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of
the chain of software used to boot the device.
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a
remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with
other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove
to be healthy.
For more information on device health attestation, see the Detect an unhealthy Windows 10-based device section.
Hardware requirements
The following table details the hardware requirements for both virtualization-based security services and the health
attestation feature. For more information, see Minimum hardware requirements.
H A RDWA RE M OT IVAT IO N
UEFI 2.3.1 or later firmware with Secure Boot enabled Required to support UEFI Secure Boot.
UEFI Secure Boot ensures that the device boots only
authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must be
supported following the requirements in Hardware
Compatibility Specification for Systems for Windows 10
under the subsection:
“System.Fundamentals.Firmware.CS.UEFISecureBoot.Conn
ectedStandby”
Virtualization extensions, such as Intel VT-x, AMD-V, and Required to support virtualization-based security.
SLAT must be enabled
Note
Device Guard can be enabled without using
virtualization-based security.
IOMMU, such as Intel VT-d, AMD-Vi Support for the IOMMU in Windows 10 enhances system
resiliency against DMA attacks.
Trusted Platform Module (TPM) Required to support health attestation and necessary for
additional key protections for virtualization-based security.
TPM 2.0 is supported. Support for TPM 1.2 was added
beginning in Windows 10, version 1607 (RS1)
This section presented information about several closely related controls in Windows 10. The multi-layer defenses
and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is
a fundamental operating system architecture change that adds a new security boundary. Device Guard and
Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft
and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All
these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising
them.
Note: To use the health attestation feature of Windows 10, the device must be equipped with a discrete or
firmware TPM. There is no restriction on any particular edition of Windows 10.
Windows 10 supports health attestation scenarios by allowing applications access to the underlying health
attestation configuration service provider (CSP) so that applications can request a health attestation token. The
measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the
current security status and detecting any changes, without having to trust the software running on the system.
In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is
present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code
running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control
which code is loaded during the boot sequence.
The antimalware software can search to determine whether the boot sequence contains any signs of malware, such
as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation
between the measurement component and the verification component.
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs
during the boot process.
When starting a device equipped with TPM, a measurement of different components is performed. This includes
firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw
measurements are stored in the TPM PCR registers while the details of all events (executable path, authority
certification, and so on) are available in the TCG log.
The health attestation process works as follows:
1. Hardware boot components are measured.
2. Operating system boot components are measured.
3. If Device Guard is enabled, current Device Guard policy is measured.
4. Windows kernel is measured.
5. Antivirus software is started as the first kernel mode driver.
6. Boot start drivers are measured.
7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP.
8. Boot measurements are validated by the Health Attestation Service
Note: By default, the last 100 system boot logs and all associated resume logs are archived in the
%SystemRoot%\logs\measuredboot folder. The number of retained logs may be set with the registry
REG_DWORD value PlatformLogRetention under the
HKLM\SYSTEM\CurrentControlSet\Ser vices\TPM key. A value of 0 will turn off log archival and a value of
0xffffffff will keep all logs.
The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health
attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI
is already pre-provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate
information.
3. The remote device heath attestation service then:
a. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not
revoked.
b. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
c. Parses the properties in the TCG log.
d. Issues the device health token that contains the health information, the AIK information, and the boot
counter information. The health token also contains valid issuance time. The device health token is
encrypted and signed, that means that the information is protected and only accessible to issuing health
attestation service.
4. The client stores the health encrypted blob in its local store. The device health token contains device health
status, a device ID (the Windows AIK), and the boot counter.
Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot,
Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed
certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM
storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must
authorize the following URLs:
Note: Before the device can report its health using the TPM attestation functions, an AIK certificate must be
provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned,
the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the
platform log state (and a monotonic counter value) at each boot by using the AIK.
The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM
for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used
inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited,
TPM-defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is
hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real
TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these
facts, it will issue an AIK certificate to the Windows 10-based device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an
endorsement certificate. To accommodate those devices, Windows 10 allows the issuance of AIK
cer tificates without the presence of an endorsement cer tificate. Such AIK certificates are not issued by
Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device
during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business
without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the
attestation process. This information can be leveraged by a relying party to decide whether to reject devices that
are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to
not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an
endorsement certificate.
Storage root key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a
major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is
created when the ownership of the TPM is taken.
Platform Configuration Registers
The TPM contains a set of registers that are designed to provide a cryptographic representation of the software and
state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when
the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core
Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it
by expanding the register PCR[0] and transfers execution to the firmware.
PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to
measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components
take the hash of the next component that is to be run and record the measurements in the PCRs. The initial
component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are
required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative
hash of the components that have been measured.
The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with
details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs
are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout
the boot process, a trace of the executable code and configuration data is created in the TCG log.
TPM provisioning
For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning
differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner
authorization data (ownerAuth) for the TPM being stored locally on the registry.
When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored ownerAuth
values by looking in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Ser vices\TPM\WMI\Endorsement
During the provisioning process, the device may need to be restarted.
Note that the Get-TpmEndorsementKeyInfo PowerShell cmdlet can be used with administrative privilege to get
information about the endorsement key and certificates of the TPM.
If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the
resulting ownerAuth value into the registry if the policy allows it will store the SRK public portion at the following
location: HKLM\SYSTEM\CurrentControlSet\Ser vices\TPM\WMI\Admin\SRKPub
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed,
the resulting AIK public portion is stored in the registry at the following location:
HKLM\SYSTEM\CurrentControlSet\Ser vices\TPM\WMI\WindowsAIKPub
Note: For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard
URL: https://*.microsoftaik .azure.net
Note: Both device and MDM servers must have access to has.spser v.microsoft.com using the TCP protocol
on port 443 (HTTPS).
Checking that a TPM attestation and the associated log are valid takes several steps:
1. First, the server must check that the reports are signed by trustwor thy AIKs . This might be done by checking
that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is
a valid signature over PCR values .
3. Next the logs should be checked to ensure that they match the PCR values reported.
4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent known or
valid security configurations . For example, a simple check might be to see whether the measured early OS
components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is
up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to
determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the
device:
Secure Boot enablement
Boot and kernel debug enablement
BitLocker enablement
VSM enabled
Signed or unsigned Device Guard Code Integrity policy measurement
ELAM loaded
Safe Mode boot, DEP enablement, test signing enablement
Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see Health Attestation CSP.
The following table presents some key items that can be reported back to MDM depending on the type of Windows
10-based device.
OS T YPE K EY IT EM S T H AT C A N B E REP O RT ED
Note: The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the
quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for
validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet
health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant
devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a
consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional
access control, which is detailed in the next section.
Note: For the latest information on Intune and Windows 10 features support, see the Microsoft Intune blog
and What's new in Microsoft Intune.
The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune
MDM service.
An MDM solution can then leverage health state statements and take them to the next level by coupling with client
policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware
free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is
compliant.
Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This
feature is much needed for BYOD devices that need to access organizational resources.
Built-in support of MDM in Windows 10
Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage
Windows 10-based devices without requiring a separate agent.
Third-party MDM server support
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is
able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise
management tasks. For additional information, see Azure Active Directory integration with MDM.
Note: MDM servers do not need to create or download a client to manage Windows 10. For more information,
see Mobile device management.
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also
provides simplicity for Windows 10 users.
Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage
health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t
domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with
customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that
currently only manage domain joined devices through Group Policy will find it easy to transition to managing
Windows 10-based devices by using MDM because many of the settings and actions are shared across both
mechanisms.
For more information on how to manage Windows 10 security and system settings with an MDM solution, see
Custom URI settings for Windows 10 devices.
Conditional access control
On most platforms, the Azure Active Directory (Azure AD) device registration happens automatically during
enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by
any authorized Windows app that interacts with Azure AD) the next time the client tries to access an Office 365
compatible workload.
If the device is not registered, the user will get a message with instructions on how to register (also known as
enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web
portal where they can get more information on the compliance problem and how to resolve it.
Azure AD authenticates the user and the device, MDM manages the compliance and conditional access policies,
and the Health Attestation Ser vice reports about the health of the device in an attested way.
Note Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy
based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the
Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud! blog post.
When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access
company applications and enforces conditional access policy to grant access to a service not only the first time the
user requests access, but every time the user requests to renew access.
The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the
compliance policy is not met at the time of request for renewal.
Depending on the type of email application that employees use to access Exchange online, the path to establish
secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange
Online, and Intune, are the same. The IT experience and end-user experience also are similar.
Clients that attempt to access Office 365 will be evaluated for the following properties:
Is the device managed by an MDM?
Is the device registered with Azure AD?
Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
Enroll with an MDM solution.
Register with Azure AD.
Be compliant with the device policies set by the MDM solution.
Note: At the present time, conditional access policies are selectively enforced on users on iOS and Android
devices. For more information, see the Azure AD, Microsoft Intune and Windows 10 – Using the cloud to
modernize enterprise mobility! blog post.
Note: Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't
have an Azure AD Premium subscription, you can get a trial from the Microsoft Azure site.
For on-premises applications there are two options to enable conditional access control based on a device's
compliance state:
For on-premises applications that are published through the Azure AD Application Proxy, you can configure
conditional access control policies as you would for cloud applications. For more details, see the Azure AD
Conditional Access preview updated: Now supports On-Premises and Custom LOB apps blog post.
Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD.
ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT
pros will configure conditional access control policies in ADFS that use the device's compliance state reported by
a compatible MDM solution to secure on-premises applications.
Related topics
Protect derived domain credentials with Credential Guard
Device Guard deployment guide
Trusted Platform Module technology overview
Mitigate threats by using Windows 10 security
features
12/18/2019 • 31 minutes to read • Edit Online
Applies to:
Windows 10
This topic provides an overview of some of the software and firmware threats faced in the current security
landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related
types of protection offered by Microsoft, see Related topics.
SEC T IO N C O N T EN T S
The security threat landscape Describes the current nature of the security threat landscape,
and outlines how Windows 10 is designed to mitigate
software exploits and similar threats.
Windows 10 mitigations that you can configure Provides tables of configurable threat mitigations with links to
more information. Product features such as Device Guard
appear in Table 1, and memory protection options such as
Data Execution Prevention appear in Table 2.
Mitigations that are built in to Windows 10 Provides descriptions of Windows 10 mitigations that require
no configuration—they are built into the operating system.
For example, heap protections and kernel pool protections are
built into Windows 10.
Understanding Windows 10 in relation to the Enhanced Describes how mitigations in the Enhanced Mitigation
Mitigation Experience Toolkit Experience Toolkit (EMET) correspond to features built into
Windows 10 and how to convert EMET settings into
mitigation policies for Windows 10.
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections
work with other security defenses in Windows 10, as shown in the following illustration:
Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses
Windows Defender Smar tScreen Windows Defender SmartScreen can check the reputation of a
helps prevent downloaded application by using a service that Microsoft
malicious applications maintains. The first time a user runs an app that originates
from being downloaded from the Internet (even if the user copied it from another PC),
SmartScreen checks to see if the app lacks a reputation or is
known to be malicious, and responds accordingly.
Enterprise cer tificate pinning Enterprise certificate pinning enables you to protect your
helps prevent internal domain names from chaining to unwanted certificates
man-in-the-middle attacks or to fraudulently issued certificates. With enterprise certificate
that leverage PKI pinning, you can “pin” (associate) an X.509 certificate and its
public key to its Certification Authority, either root or leaf.
Device Guard Device Guard includes a Code Integrity policy that you create;
helps keep a device a whitelist of trusted apps—the only apps allowed to run in
from running malware or your organization. Device Guard also includes a powerful
other untrusted apps system mitigation called hypervisor-protected code integrity
(HVCI), which leverages virtualization-based security (VBS) to
protect Windows’ kernel-mode code integrity validation
process. HVCI has specific hardware requirements, and works
with Code Integrity policies to help stop attacks even if they
gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and
Windows Server 2016.
Blocking of untrusted fonts Block Untrusted Fonts is a setting that allows you to prevent
helps prevent fonts users from loading fonts that are "untrusted" onto your
from being used in network, which can mitigate elevation-of-privilege attacks
elevation-of-privilege attacks associated with the parsing of font files. However, as of
Windows 10, version 1703, this mitigation is less important,
because font parsing is isolated in an AppContainer sandbox
(for a list describing this and other kernel pool protections, see
Kernel pool protections, later in this topic).
UEFI Secure Boot Unified Extensible Firmware Interface (UEFI) Secure Boot is a
helps protect security standard for firmware built in to PCs by
the platform from manufacturers beginning with Windows 8. It helps to protect
bootkits and rootkits the boot process and firmware against tampering, such as
from a physically present attacker or from forms of malware
that run early in the boot process or in kernel after startup.
Early Launch Antimalware (EL AM) Early Launch Antimalware (ELAM) is designed to enable the
helps protect antimalware solution to start before all non-Microsoft drivers
the platform from and apps. If malware modifies a boot-related driver, ELAM will
rootkits disguised as drivers detect the change, and Windows will prevent the driver from
starting, thus blocking driver-based rootkits.
Device Health Attestation Device Health Attestation (DHA) provides a way to confirm
helps prevent that devices attempting to connect to an organization's
compromised devices from network are in a healthy state, not compromised with
accessing an organization’s malware. When DHA has been configured, a device’s actual
assets boot data measurements can be checked against the expected
"healthy" boot data. If the check indicates a device is
unhealthy, the device can be prevented from accessing the
network.
Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth
understanding of these threats and mitigations and knowledge about how the operating system and applications
handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover
whether a given setting interferes with any applications that you use so that you can deploy settings that maximize
protection while still allowing apps to run correctly.
As an IT professional, you can ask application developers and software vendors to deliver applications that include
an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the
protection is compiled into applications. More information can be found in Control Flow Guard.
Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
M IT IGAT IO N A N D C O RRESP O N DIN G T H REAT DESC RIP T IO N
M IT IGAT IO N A N D C O RRESP O N DIN G T H REAT DESC RIP T IO N
SMB hardening for SYSVOL and NETLOGON shares Client connections to the Active Directory Domain Services
helps mitigate default SYSVOL and NETLOGON shares on domain controllers
man-in-the-middle attacks now require SMB signing and mutual authentication (such as
Kerberos).
Universal Windows apps protections Universal Windows apps are carefully screened before being
screen downloadable made available, and they run in an AppContainer sandbox
apps and run them in with limited privileges and capabilities.
an AppContainer sandbox
More information : Universal Windows apps protections,
later in this topic.
Heap protections Windows 10 includes protections for the heap, such as the use
help prevent of internal data structures which help protect against
exploitation of the heap corruption of memory used by the heap.
Kernel pool protections Windows 10 includes protections for the pool of memory used
help prevent by the kernel. For example, safe unlinking protects against
exploitation of pool memory pool overruns that are combined with unlinking operations
used by the kernel that can be used to create an attack.
Control Flow Guard Control Flow Guard (CFG) is a mitigation that requires no
helps mitigate exploits configuration within the operating system, but instead is built
that are based on into software when it’s compiled. It is built into Microsoft Edge,
flow between code locations IE11, and other areas in Windows 10. CFG can be built into
in memory applications written in C or C++, or applications compiled
using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt
to change the intended flow of code. If this occurs, CFG
terminates the application. You can request software vendors
to deliver Windows applications compiled with CFG enabled.
Protections built into Microsoft Edge (the browser) Windows 10 includes an entirely new browser, Microsoft Edge,
helps mitigate multiple designed with multiple security improvements.
threats
More information : Microsoft Edge and Internet Explorer 11,
later in this topic.
NOTE
The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group
Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening),
see Microsoft Knowledge Base article 3000483 and MS15-011 & MS15-014: Hardening Group Policy.
Protected Processes
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative
controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on
malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that
have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are
prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected
Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be
used by 3rd party anti-malware vendors, as described in Protecting Anti-Malware Services. This helps make the
system and antimalware solutions less susceptible to tampering by malware that does manage to get on the
system.
Universal Windows apps protections
When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter
malware because all apps go through a careful screening process before being made available in the store. Apps
that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure
that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal
Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal
Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no
access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the
minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage
the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the
exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and
publisher.
Windows heap protections
The heap is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to
improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part
of an attack.
Windows 10 has several important improvements to the security of the heap:
Heap metadata hardening for internal data structures that the heap uses, to improve protections against
memory corruption.
Heap allocation randomization , that is, the use of randomized locations and sizes for heap memory
allocations, which makes it more difficult for an attacker to predict the location of critical memory to
overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which
makes the allocation much less predictable.
Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to
write past a block of memory (a common technique known as a buffer overflow), the attacker will have to
overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and
Windows 10 responds by instantly terminating the app.
Kernel pool protections
The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory
(“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types
of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay
free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections,
such as integrity checks, that help protect the kernel pool against such attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
Kernel DEP and Kernel ASLR : Follow the same principles as Data Execution Prevention and Address Space
Layout Randomization, described earlier in this topic.
Font parsing in AppContainer : Isolates font parsing in an AppContainer sandbox.
Disabling of NT Vir tual DOS Machine (NTVDM) : The old NTVDM kernel module (for running 16-bit
applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM
decreases protection against Null dereference and other exploits.)
Super visor Mode Execution Prevention (SMEP) : Helps prevent the kernel (the “supervisor”) from
executing code in user pages, a common technique used by attackers for local kernel elevation of privilege
(EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN
support.
Safe unlinking: Helps protect against pool overruns that are combined with unlinking operations to create
an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to
all usage of LIST_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination.
Memor y reser vations : The lowest 64 KB of process memory is reserved for the system. Apps are not
allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques
such as “NULL dereference” to overwrite critical system data structures in memory.
Control Flow Guard
When applications are loaded into memory, they are allocated space based on the size of the code, requested
memory, and other factors. When an application begins to execute code, it calls additional code located in other
memory addresses. The relationships between the code locations are well known—they are written in the code
itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the
opportunity to change the flow to meet their needs.
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted
application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for
execution. If the location is not trusted, the application is immediately terminated as a potential security risk.
An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring
it when the application is compiled. Consider asking application developers and software vendors to deliver
trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications
written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a
Visual Studio 2015 project, see Control Flow Guard.
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full
advantage of CFG.
Microsoft Edge and Internet Explorer 11
Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s
interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users
cannot perform at least part of their job without a browser, and many users are completely reliant on one. This
reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two
common examples of this are Flash and Java extensions that enable their respective applications to run inside a
browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a
priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways,
especially:
Smaller attack surface; no suppor t for non-Microsoft binar y extensions . Multiple browser
components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that
have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs),
ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default
through built-in extensions.
Runs 64-bit processes. A 64-bit PC running an older version of Windows often runs in 32-bit
compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it
runs only 64-bit processes, which are much more secure against exploits.
Includes Memor y Garbage Collection (MemGC) . This helps protect against use-after-free (UAF) issues.
Designed as a Universal Windows app. Microsoft Edge is inherently compartmentalized and runs in an
AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can
also take advantage of the same AppContainer technology through Enhanced Protect Mode. However,
because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range
of attacks than Microsoft Edge.
Simplifies security configuration tasks. Because Microsoft Edge uses a simplified application structure
and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge
default settings align with security best practices, which makes it more secure by default.
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with
websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the
primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the
primary web browser because it provides compatibility with the modern web and the best possible security.
For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable
Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this
configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
Functions that software vendors can use to build mitigations into apps
Some of the protections available in Windows 10 are provided through functions that can be called from apps or
other software. Such software is less likely to provide openings for exploits. If you are working with a software
vendor, you can request that they include these security-oriented functions in the application. The following table
lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.
NOTE
Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For
more information, see Control Flow Guard, earlier in this topic.
Child Process Restriction to restrict the ability to create child UpdateProcThreadAttribute function
processes [PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY]
Win32k System Call Disable Restriction to restrict ability to use SetProcessMitigationPolicy function
NTUser and GDI [ProcessSystemCallDisablePolicy]
Strict handle checks to raise immediate exception upon bad UpdateProcThreadAttribute function
handle reference [PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_
CHECKS_ALWAYS_ON]
Extension point disable to block the use of certain third-party UpdateProcThreadAttribute function
extension points [PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POI
NT_DISABLE_ALWAYS_ON]
Load Library Check (LoadLib) LoadLib and MemProt are supported in Windows 10, for all
applications that are written to use these functions. See Table
Memory Protection Check (MemProt) 4, earlier in this topic.
Null Page Mitigations for this threat are built into Windows 10, as
described in the “Memory reservations” item in Kernel pool
protections, earlier in this topic.
Heap Spray Windows 10 does not include mitigations that map specifically
to these EMET features because they have low impact in the
EAF current threat landscape, and do not significantly increase the
EAF+ difficulty of exploiting vulnerabilities. Microsoft remains
committed to monitoring the security environment as new
exploits appear and taking steps to harden the operating
system against them.
The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process,
or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:
To get the current settings for the running process with pid 1304:
To get the all process mitigation settings from the registry and save them to the xml file settings.xml:
The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and
disable MandatoryASLR:
To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -
RegistryConfigFilePath settings.xml):
The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:
Examples:
Conver t EMET settings to Windows 10 settings : You can run ConvertTo-ProcessMitigationPolicy and
provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation
settings. For example:
Audit and modify the conver ted settings (the output file) : Additional cmdlets let you apply,
enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and
disables MandatoryASLR and DEPATL registry settings for Notepad:
Conver t Attack surface reduction (ASR) settings to a Code Integrity policy file : If the input file
contains any settings for EMET’s Attack surface reduction (ASR) mitigation, the converter will also create a
Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for
the Code Integrity policy, as described in Deploy Device Guard: deploy code integrity policies. This will enable
protections on Windows 10 equivalent to EMET’s ASR protections.
Conver t Cer tificate Trust settings to enterprise cer tificate pinning rules : If you have an EMET
“Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to
convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling
that file as described in Enterprise Certificate Pinning. For example:
EMET-related products
Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of
options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise
Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in
similar capabilities, we recommend evaluating Microsoft Defender Advanced Threat Protection (ATP).
Related topics
Security and Assurance in Windows Server 2016
Microsoft Defender Advanced Threat Protection (ATP) - resources
Microsoft Defender Advanced Threat Protection (ATP) - documentation
Exchange Online Advanced Threat Protection Service Description
Office 365 Advanced Threat Protection
Microsoft Malware Protection Center
Override Process Mitigation Options to help enforce
app-related security policies
12/3/2019 • 3 minutes to read • Edit Online
Applies to:
Windows 10, version 1607
Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against
memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example,
malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation
Options can prevent the running of the malicious code.
IMPORTANT
We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with
your organization’s required apps.
The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types
are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can
configure additional protections. The types of process mitigations are:
Data Execution Prevention (DEP) is a system-level memory protection feature that enables the operating
system to mark one or more pages of memory as non-executable, preventing code from being run from that
region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from
data pages such as the default heap, stacks, and memory pools. For more information, see Data Execution
Prevention.
Structured Exception Handling Over write Protection (SEHOP) is designed to block exploits that use the
Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-
time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For
more information, see Structured Exception Handling Overwrite Protection.
Address Space Layout Randomization (ASLR) loads DLLs into random memory addresses at boot time to
mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected
to be loaded. For more information, see Address Space Layout Randomization. To find additional ASLR
protections in the table below, look for IMAGES or ASLR .
The following procedure describes how to use Group Policy to override individual Process Mitigation Options
settings.
To modify Process Mitigation Options
1. Open your Group Policy editor and go to the Administrative Templates\System\Mitigation
Options\Process Mitigation Options setting.
2. Click Enabled , and then in the Options area, click Show to open the Show Contents box, where you’ll be able
to add your apps and the appropriate bit flag values, as shown in the Setting the bit field and Example sections of
this topic.
Impor tant
For each app you want to include, you must include:
Value name. The app file name, including the extension. For example, iexplore.exe.
Value. A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is
forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
Note
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
Where the bit flags are read from right to left and are defined as:
Example
If you want to turn on the PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON settings, turn off the
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF setting, and leave everything
else as the default values, you’d want to type a value of ???????????????0???????1???????1 .
Use Windows Event Forwarding to help with intrusion
detection
12/4/2019 • 25 minutes to read • Edit Online
Applies to
Windows 10
Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both
normal operations and when an intrusion is suspected.
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your
organization and forwards the events you choose to a Windows Event Collector (WEC) server.
To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription
and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect
subscription only includes devices that have been added by you. The Suspect subscription collects additional events
to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios
as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices
with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce
system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect
subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely
used for host forensic analysis.
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner
and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability
(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and
trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
Here's an approximate scaling guide for WEF events:
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF
implementation, including enabling of disabled event logs and setting channel permissions. For more info, see
Appendix C - Event channel settings (enable and channel access) methods. This is because WEF is a passive system
with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change
channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events.
Additionally, having event generation already occurring on a device allows for more complete event collection
building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF
subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling
additional event channels and expanding the size of event log files has not resulted in noticeable performance
differences.
For the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum
recommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.
Note: These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate
subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the
targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should
have access to the Baseline subscription.
This means you would create two base subscriptions:
Baseline WEF subscription . Events collected from all hosts, this includes some role-specific events, which will
only be emitted by those machines.
Targeted WEF subscription . Events collected from a limited set of hosts due to unusual activity and/or
heightened awareness for those systems.
Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing
events” option should be set to true to allow collection of existing events from systems. By default, WEF
subscriptions will only forward events generated after the WEF subscription was received by the client.
In Appendix E – Annotated Baseline Subscription Event Query and Appendix F – Annotated Suspect Subscription
Event Query, the event query XML is included when creating WEF subscriptions. These are annotated for query
purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
Common WEF questions
This section addresses common questions from IT pros and customers.
Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
The short answer is: No.
The longer answer is: The Eventlog-for wardingPlugin/Operational event channel logs the success, warning,
and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and
navigates to that channel, they will not notice WEF either through resource consumption or Graphical User
Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance
degradation. All success, warning, and failure events are logged to this operational event channel.
Is WEF Push or Pull?
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment
with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are
configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the
subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are
to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the
subscription to access their event logs remotely (normally by adding the credential to the Event Log Readers
built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
Will WEF work over VPN or RAS?
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of
events when the connection to the WEF Collector is re-established.
How is client progress tracked?
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source
for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to
the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF
client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value
can be individually configured for each subscription.
Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
Are WEF events encrypted? I see an HTTP/HTTPS option!
In a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with
NTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the
connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless
of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual
authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual
authentication.
Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To
increase the “buffer size”, increase the maximum file size of the specific event log file where events are being
selected. For more info, see Appendix C – Event Channel Settings (enable and Channel Access) methods.
When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event
Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an
indicator that there was a gap encountered in the event stream.
What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of
the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled
depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as
“Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx
file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
Normal This option ensures reliable delivery of events and does not
attempt to conserve bandwidth. It is the appropriate choice
unless you need tighter control over bandwidth usage or need
forwarded events delivered as quickly as possible. It uses pull
delivery mode, batches 5 items at a time and sets a batch
timeout of 15 minutes.
Minimize bandwidth This option ensures that the use of network bandwidth for
event delivery is strictly controlled. It is an appropriate choice
if you want to limit the frequency of network connections
made to deliver events. It uses push delivery mode and sets a
batch timeout of 6 hours. In addition, it uses a heartbeat
interval of 6 hours.
Minimize latency This option ensures that events are delivered with minimal
delay. It is an appropriate choice if you are collecting alerts or
critical events. It uses push delivery mode and sets a batch
timeout of 30 seconds.
For more info about delivery options, see Configure Advanced Subscription Settings.
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet
your requirements you can set Custom event delivery options for a given subscription from an elevated command
prompt:
Subscription information
Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix.
These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll
(and remove) hosts on an as needed basis to the Targeted subscription.
Baseline subscription
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions
should be allowed for unusual devices – a device performing complex developer related tasks can be expected to
create an unusually high volume of process create and AppLocker events.) This subscription does not require
special configuration on client devices to enable event channels or modify channel permissions.
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is
modular in nature and a given query statement can be removed or changed without impacting other query
statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within
that query statement and are not to the entire subscription.
Baseline subscription requirements
To gain the most value out of the baseline subscription we recommend to have the following requirements set on
the device to ensure that the clients are already generating the required events to be forwarded off the system.
Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info,
see Appendix A – Minimum Recommended minimum Audit Policy. This ensures that the security event log is
generating the required events.
Apply at least an Audit-Only AppLocker policy to devices.
If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
AppLocker events contain extremely useful information, such as file hash and digital signature
information for executables and scripts.
Enable disabled event channels and set the minimum size for modern event files.
Currently, there is no GPO template for enabling or setting the maximum size for the modern event files.
This must be done by using a GPO. For more info, see Appendix C – Event Channel Settings (enable and
Channel Access) methods.
The annotated event query can be found in the following. For more info, see Appendix F – Annotated Suspect
Subscription Event Query.
Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any
given anti-malware product easily if it writes to the Windows event log.
Security event log Process Create events.
AppLocker Process Create events (EXE, script, packaged App installation and execution).
Registry modification events. For more info, see Appendix B – Recommended minimum Registry System
ACL Policy.
OS startup and shutdown
Startup event include operating system version, service pack level, QFE version, and boot mode.
Service install
Includes what the name of the service, the image path, and who installed the service.
Certificate Authority audit events
This is only applicable on systems with the Certificate Authority role installed.
Logs certificate requests and responses.
User profile events
Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively
logging into a device but not wanting to leave a persistent profile behind.
Service start failure
Failure codes are localized, so you have to check the message DLL for values.
Network share access events
Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
System shutdown initiate requests
Find out what initiated the restart of a device.
User initiated interactive logoff event
Remote Desktop Services session connect, reconnect, or disconnect.
EMET events, if EMET is installed.
Event forwarding plugin events
For monitoring WEF subscription operations, particularly Partial Success events. This is useful for
diagnosing deployment issues.
Network share create and delete
Enables detection of unauthorized share creation.
Logon sessions
Logon success for interactive (local and Remote Interactive/Remote Desktop)
Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
Logon success for batch sessions
Logon session close, which are logoff events for non-network sessions.
Windows Error Reporting (Application crash events only)
This can help detect early signs of intruder not familiar with enterprise environment using targeted
malware.
Event log service events
Errors, start events, and stop events for the Windows Event Log service.
Event log cleared (including the Security Event Log)
This could indicate an intruder that are covering their tracks.
Special privileges assigned to new logon
This indicates that at the time of logon a user is either an Administrator or has the sufficient access to
make themselves Administrator.
Outbound Remote Desktop Services session attempts
Visibility into potential beachhead for intruder
System time changed
SMB Client (mapped drive connections)
Account credential validation
Local accounts or domain accounts on domain controllers
A user was added or removed from the local Administrators security group.
Crypto API private key accessed
Associated with signing objects using the locally stored private key.
Task Scheduler task creation and delete
Task Scheduler allows intruders to run code at specified times as LocalSystem.
Logon with explicit credentials
Detect credential use changes by intruders to access additional resources.
Smartcard card holder verification events
This detects when a smartcard is being used.
Suspect subscription
This adds some possible intruder-related activity to help analyst further refine their determinations about the state
of the device.
Logon session creation for network sessions
Enables time-series analysis of network graphs.
RADIUS and VPN events
Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment
with remote IP address connecting to the enterprise.
Crypto API X509 object and build chain events
Detects known bad certificate, CA, or sub-CA
Detects unusual process use of CAPI
Groups assigned to local logon
Gives visibility to groups which enable account wide access
Allows better planning for remediation efforts
Excludes well known, built-in system accounts.
Logon session exit
Specific for network logon sessions.
Client DNS lookup events
Returns what process performed a DNS query and the results returned from the DNS server.
Process exit
Enables checking for processes terminating unexpectedly.
Local credential validation or logon with explicit credentials
Generated when the local SAM is authoritative for the account credentials being authenticated.
Noisy on domain controllers
On client devices this is only generated when local accounts log on.
Registry modification audit events
Only when a registry value is being created, modified, or deleted.
Wireless 802.1x authentication
Detect wireless connection with a peer MAC address
Windows PowerShell logging
Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging
improvements for in-memory attacks using Windows PowerShell.
Includes Windows PowerShell remoting logging
User Mode Driver Framework “Driver Loaded” event
Can possibly detect a USB device loading multiple device drivers. For example, a USB_STOR device
loading the keyboard or network driver.
</QueryList>
Applies to:
Windows 10
Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.
To help protect your company from attacks which may originate from untrusted or attacker controlled font files,
we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops
your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your
network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts
helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-
parsing process.
IMPORTANT
Your existing MitigationOptions values should be saved during your update. For example, if the current
value is 1000, your updated value should be 1000000001000.
NOTE
Because the FontType is Memory, there’s no associated FontPath .
NOTE
Because the FontType is File, there’s also an associated FontPath .
NOTE
In Audit mode, the problem is recorded, but the font isn’t blocked.
For example, if you want to exclude Microsoft Word processes, you’d use
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe .
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts
feature on, using the steps in the Turn on and use the Blocking Untrusted Fonts feature section of this topic.
Related content
Dropping the “Untrusted Font Blocking” setting
Security auditing
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your
organization can benefit from using these technologies to enhance the security and manageability of your network.
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As
part of your overall security strategy, you should determine the level of auditing that is appropriate for your
environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks
against resources that you have determined to be valuable in your risk assessment.
In this section
TO P IC DESC RIP T IO N
Basic security audit policies Before you implement auditing, you must decide on an
auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this
version of Windows is first installed, all auditing categories are
disabled. By enabling various auditing event categories, you
can implement an auditing policy that suits the security needs
of your organization.
Advanced security audit policies Advanced security audit policy settings are found in Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies and appear to overlap with basic security
audit policies, but they are recorded and applied differently.
Basic security audit policies
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this version of Windows is first installed, all auditing
categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that
suits the security needs of your organization.
The event categories that you can choose to audit are:
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory
service access category (for auditing objects on a domain controller), or the audit object access category (for
auditing objects on a member server or workstation). Once you have enabled the object access category, you can
specify the types of access you want to audit for each group or user.
In this section
TO P IC DESC RIP T IO N
Create a basic audit policy for an event category By defining auditing settings for specific event categories, you
can create an auditing policy that suits the security needs of
your organization. On devices that are joined to a domain,
auditing settings for the event categories are undefined by
default. On domain controllers, auditing is turned on by
default.
Apply a basic audit policy on a file or folder You can apply audit policies to individual files and folders on
your computer by setting the permission type to record
successful access attempts or failed access attempts in the
security log.
View the security event log The security log records each event as defined by the audit
policies you set on each object.
Basic security audit policy settings Basic security audit policy settings are found under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.
Create a basic audit policy for an event category
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security
needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are
undefined by default. On domain controllers, auditing is turned on by default.
To complete this procedure, you must be logged on as a member of the built-in Administrators group.
To define or modify auditing policy settings for an event categor y for your local computer
1. Open the Local Security Policy snap-in (secpol.msc), and then click Local Policies .
2. Click Audit Policy .
3. In the results pane, double-click an event category that you want to change the auditing policy settings for.
4. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
To complete this procedure, you must be logged on as a member of the Domain Admins group.
To define or modify auditing policy settings for an event categor y for a domain or organizational
unit, when you are on a member ser ver or on a workstation that is joined to a domain
1. Open the Group Policy Management Console (GPMC).
2. In the console tree, double-click Group Policy objects in the forest and domain containing the Default
Domain Policy Group Policy object (GPO) that you want to edit.
3. Right-click the Default Domain Policy GPO, and then click Edit .
4. In the GPMC, go to Computer Configuration , Windows Settings , Security Settings , and then click
Audit Policy .
5. In the results pane, double-click an event category that you want to change the auditing policy settings for.
6. If you are defining auditing policy settings for this event category for the first time, select the Define these
policy settings check box.
7. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
Additional considerations
To audit object access, enable auditing of the object access event category by following the steps above. Then,
enable auditing on the specific object.
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view
these events.
The default auditing policy setting for domain controllers is No Auditing . This means that even if auditing is
enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing
policy to apply to domain controllers, you must modify this policy setting.
Apply a basic audit policy on a file or folder
3/25/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to
record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have
Manage auditing and security log rights.
To apply or modify auditing policy settings for a local file or folder
1. Select and hold (or right-click) the file or folder that you want to audit, select Proper ties , and then select the
Security tab.
2. Select Advanced .
3. In the Advanced Security Settings dialog box, select the Auditing tab, and then select Continue .
4. Do one of the following:
To set up auditing for a new user or group, select Add . Select Select a principal , type the name of the
user or group that you want, and then select OK .
To remove auditing for an existing group or user, select the group or user name, select Remove , select
OK , and then skip the rest of this procedure.
To view or change auditing for an existing group or user, select its name, and then select Edit.
5. In the Type box, indicate what actions you want to audit by selecting the appropriate check boxes:
To audit successful events, select Success.
To audit failure events, select Fail.
To audit all events, select All.
6. In the Applies to box, select the object(s) to which the audit of events will apply. These include:
This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only
7. By default, the selected Basic Permissions to audit are the following:
Read and execute
List folder contents
Read
Additionally, with your selected audit combination, you can select any combination of the following
permissions:
Full control
Modify
Write
IMPORTANT
Before you set up auditing for files and folders, you must enable object access auditing. To do this, define auditing policy
settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when
you set up auditing for files and folders, and no files or folders will be audited.
Additional considerations
After you turn on object access auditing, view the security log in Event Viewer to review the results of your
changes.
You can set up file and folder auditing only on NTFS drives.
Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the
amount of disk space that you want to devote to the security log. The maximum size for the security log is
defined in Event Viewer.
View the security event log
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
The security log records each event as defined by the audit policies you set on each object.
To view the security log
1. Open Event Viewer.
2. In the console tree, expand Windows Logs , and then click Security . The results pane lists individual security
events.
3. If you want to see more details about a specific event, in the results pane, click the event.
Basic security audit policy settings
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy.
In this section
TO P IC DESC RIP T IO N
Audit account logon events Determines whether to audit each instance of a user logging
on to or logging off from another device in which this device
is used to validate the account.
Audit directory service access Determines whether to audit the event of a user accessing an
Active Directory object that has its own system access control
list (SACL) specified.
Audit logon events Determines whether to audit each instance of a user logging
on to or logging off from a device.
Audit object access Determines whether to audit the event of a user accessing an
object--for example, a file, folder, registry key, printer, and so
forth--that has its own system access control list (SACL)
specified.
Audit process tracking Determines whether to audit detailed tracking information for
events such as program activation, process exit, handle
duplication, and indirect object access.
Audit system events Determines whether to audit when a user restarts or shuts
down the computer or when an event occurs that affects
either the system security or the security log.
Related topics
Basic security audit policy settings
Audit account logon events
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this
device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account. Account logon events are generated when a
domain user account is authenticated on a domain controller. The event is logged in the domain controller's
security log. Logon events are generated when a local user is authenticated on a local computer. The event is
logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate
an audit entry when an account logon attempt fails. To set this value to No auditing , in the Proper ties dialog box
for this policy setting, select the Define these policy settings check box and clear the Success and Failure
check boxes.
Default : Success
677 A TGS ticket was not granted. This event is not generated in
Windows XP or in the Windows Server 2003 family.
Related topics
Basic security audit policy settings
Audit account management
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits
generate an audit entry when any account management event fails. To set this value to No auditing , in the
Proper ties dialog box for this policy setting, select the Define these policy settings check box and clear the
Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
Related topics
Basic security audit policy settings
Audit directory service access
12/4/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system
access control list (SACL) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it
remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that
has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an
Active Directory object that has a SACL specified. To set this value to No auditing, in the Proper ties dialog box
for this policy setting, select the Define these policy settings check box and clear the Success and Failure
check boxes.
Note: You can set a SACL on an Active Directory object by using the Security tab in that object's Proper ties
dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and
not to file system and registry objects.
Default:
Success on domain controllers.
Undefined for a member server.
Related topics
Basic security audit policy settings
Audit logon events
9/11/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for
local account activity. If both account logon and logon audit policy categories are enabled, logons that use a
domain account generate a logon or logoff event on the workstation or server, and they generate an account logon
event on the domain controller. Additionally, interactive logons to a member server or workstation that use a
domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved
when a user logs on. For more info about account logon events, see Audit account logon events.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
For information about advanced security policy settings for logon events, see the Logon/logoff section in Advanced
security audit policy settings.
530 Logon failure. A logon attempt was made user account tried
to log on outside of the allowed time.
533 Logon failure. A logon attempt was made by a user who is not
allowed to log on at this computer.
LO GO N EVEN T S DESC RIP T IO N
534 Logon failure. The user attempted to log on with a type that is
not allowed.
535 Logon failure. The password for the specified account has
expired.
537 Logon failure. The logon attempt failed for other reasons.
539 Logon failure. The account was locked out at the time the
logon attempt was made.
544 Main mode authentication failed because the peer did not
provide a valid certificate or the signature was not validated.
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon
type.
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
Related topics
Basic security audit policy settings
Audit object access
12/30/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer,
and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an object that has an
appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access
an object that has a SACL specified.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Note: You can set a SACL on a file system object using the Security tab in that object's Proper ties dialog
box.
Default: No auditing.
800 One or more rows have been deleted from the certificate
database.
Related topics
Basic security audit policy settings
Audit policy change
9/11/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust
policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies,
or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment
policies, audit policies, or trust policies fails.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
805 The event log service read the security log configuration for a
session.
Related topics
Basic security audit policy settings
Audit privilege use
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of
event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits
generate an audit entry when the exercise of a user right fails.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified
for Audit privilege use . Enabling auditing of these user rights tend to generate many events in the security log
which may impede your computer's performance. To audit the following user rights, enable the
FullPrivilegeAuditing registry key.
Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories
Related topics
Basic security audit policy settings
Audit process tracking
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit,
handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate
an audit entry when the process being tracked fails.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.
Related topics
Basic security audit policy settings
Audit system events
9/11/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that
affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing , in the Proper ties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on domain controllers.
No auditing on member servers.
515 A trusted logon process has registered with the Local Security
Authority.
Related topics
Basic security audit policy settings
Advanced security audit policies
12/23/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy
Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are
recorded and applied differently. When you apply basic audit policy settings to the local computer by using the
Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy
settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies
can be controlled by using Group Policy.
In this section
TO P IC DESC RIP T IO N
Planning and deploying advanced security audit policies This topic for the IT professional explains the options that
security policy planners must consider and the tasks they
must complete to deploy an effective security audit policy in a
network that includes advanced security audit policies
Advanced security auditing FAQ This topic for the IT professional lists questions and answers
about understanding, deploying, and managing security audit
policies.
Using advanced security auditing options to monitor dynamic This guide explains the process of setting up advanced
access control objects security auditing capabilities that are made possible through
settings and events that were introduced in Windows 8 and
Windows Server 2012.
Advanced security audit policy settings This reference for IT professionals provides information about
the advanced audit policy settings that are available in
Windows and the audit events that they generate.
Plan and deploy advanced security audit policies
3/6/2020 • 33 minutes to read • Edit Online
Applies to
Windows 10
This article for IT professionals explains the options that security policy planners should consider and the tasks
they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and
encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights
of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have
a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to
circumvent them.
To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most
important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT
operations comply with corporate and regulatory requirements.
No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan
well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may
gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift
through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent
auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not
enough.
Here are some features that can help you focus your effort:
Advanced audit policy settings: You can apply and manage detailed audit policy settings through Group
Policy.
"Reason for access" auditing: You can specify and identify the permissions that were used to generate a
particular object access security event.
Global object access auditing: You can define system access control lists (SACLs) for an entire computer file
system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
Identify your most critical resources and the most important activities that you need to track.
Identify the audit settings that you can use to track these activities.
Assess the advantages and potential costs associated with each.
Test these settings to validate your choices.
Develop plans for deploying and managing your audit policy.
IMPORTANT
Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can
achieve the best results.
SEC URIT Y O R
O RGA N IZ AT IO N A L REGUL ATO RY
RESO URC E C L A SS W H ERE STO RED UN IT B USIN ESS IM PA C T REQ UIREM EN T S
Patient medical MedRec-2 Doctors and Nurses: High Strict legal and
records Read/write on regulatory standards
Med/Rec-2
Lab Assistants: Write
only on MedRec-2
Accounting: Read only
on MedRec-2
Consumer health Web-Ext-1 Public Relations Web Low Public education and
information Content Creators: corporate image
Read/write on Web-
Ext-1
Public: Read only on
Web-Ext-1
Users
Many organizations find it useful to classify the types of users they have and then base permissions on this
classification. This classification can help you identify which user activities should be the subject of security
auditing and the amount of audit data that they'll generate.
Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs.
Under the classification administrators, for example, large organizations might assign local administrator
responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an
entire domain. Under users, permissions and Group Policy settings can apply to all users in an organization or as
few as a subset of employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or
financial data may need to be audited to verify that you're complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization, the types of data
they need access to, and the data they shouldn't have access to.
Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a
business partner, customer, or general user; the data they have access to; and the permissions they have to access
that data.
The following table illustrates an analysis of users on a network. Our example contains only a single column titled
"Possible auditing considerations," but you may want to create additional columns to differentiate between
different types of network activity, such as logon hours and permission use.
Account administrators User accounts and security groups Account administrators have full
privileges to create new user accounts,
reset passwords, and modify security
group memberships. We need a
mechanism to monitor these changes.
Members of the Finance OU Financial records Users in Finance have read/write access
to critical financial records but no ability
to change permissions on these
resources. These financial records are
subject to government regulatory
compliance requirements.
GRO UP S DATA P O SSIB L E A UDIT IN G C O N SIDERAT IO N S
Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers
in an organization. These requirements can be based on:
Whether the computers are servers, desktop computers, or portable computers
The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or
Forefront Identity Manager
NOTE
For more information about auditing:
In Exchange Server, see Exchange 2010 Security Guide.
In SQL Server 2008, see Auditing (Database Engine).
In SQL Server 2012, see SQL Server Audit (Database Engine).
NOTE
The operating system version determines which auditing options are available and the volume of audit event data.
T Y P E O F C O M P UT ER A N D
A P P L IC AT IO N S O P ERAT IN G SY ST EM VERSIO N W H ERE LO C AT ED
Portable computers Windows Vista and Windows 7 Separate portable computer OUs by
department and (in some cases) by
location
Regulatory requirements
Many industries and locales have specific requirements for network operations and how resources are protected.
In the health care and financial industries, for example, strict guidelines control who can access records and how
the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your
organization's legal department and other departments responsible for these requirements. Then consider the
security configuration and auditing options that you can use to comply with these regulations and verify
compliance.
For more information, see the System Center Process Pack for IT GRC.
IMPORTANT
Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy
settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy
Configuration . Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or logon scripts to apply advanced audit policies, be
sure to enable the Audit: Force audit policy subcategor y settings (Windows Vista or later) to override
audit policy categor y settings policy setting under Local Policies\Security Options . This configuration will
prevent conflicts between similar settings by forcing basic security auditing to be ignored.
The following examples show how you can apply audit policies to an organization's OU structure:
Apply data activity settings to an OU that contains file servers. If your organization has servers that contain
sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit
policy to these servers.
Apply user activity audit policies to an OU that contains all computers in the organization. If your organization
places users in OUs by department, consider applying more-detailed security permissions on critical resources
that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal
department.
Apply network and system activity audit policies to OUs that contain the organization's most critical servers,
such as domain controllers, CAs, email servers, or database servers.
IMPORTANT
Settings that are described in the reference might also provide valuable information about activity audited by another
setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to
protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network
status and potentially for how well you're managing the activities of users on the network.
NOTE
To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings
Registry (Global Object Access Auditing) or File System (Global Object Access Auditing).
Object Access\ Audit Handle Manipulation : This policy setting determines whether the operating
system generates audit events when a handle to an object is opened or closed. Only objects with configured
SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how the SACLs are configured. When used together with the
Audit File System or Audit Registr y policy setting, the Audit Handle Manipulation policy setting can
provide useful "reason for access" audit data that details the precise permissions on which the audit event is
based. For example, if a file is configured as a read-only resource but a user tries to save changes to the file,
the audit event will log the event and the permissions that were used (or attempted to be used) to save the
file changes.
Global Object Access Auditing : Many organizations use security auditing to comply with regulatory
requirements that govern data security and privacy. But demonstrating that strict controls are being
enforced can be difficult. To address this issue, the supported versions of Windows include two Global
Object Access Auditing policy settings, one for the registry and one for the file system. When you
configure these settings, they apply a global system access control SACL on all objects of that class on a
system. These settings can't be overridden or circumvented.
IMPORTANT
The Global Object Access Auditing policy settings must be configured and applied in conjunction with the Audit
File System and Audit Registr y audit policy settings in the Object Access category.
User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored
on a network. The settings in this section focus on the users who may try to access those resources, including
employees, partners, and customers.
In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate
users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate
reason to access. You can use security auditing to track a variety of user activities on a particular computer to
diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following
are important settings that you should evaluate to track user activity on your network:
Account Logon\ Audit Credential Validation : This setting enables you to track all successful and
unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is
using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in
succession in hope that one of these attempts will eventually succeed. These events occur on the computer
that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local
accounts, the local computer is authoritative.
Detailed Tracking\ Audit Process Creation and Detailed Tracking\ Audit Process Termination :
These policy settings enable you to monitor the applications that a user opens and close on a computer.
DS Access\ Audit Director y Ser vice Access and DS Access\ Audit Director y Ser vice Changes :
These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or
undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have
permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these
objects. Also, although domain administrators should be among an organization's most trusted employees,
the use of the Audit Director y Ser vice Access and Audit Director y Ser vice Changes settings enable
you to monitor and verify that only approved changes are made to AD DS. These audit events are logged
only on domain controllers.
Logon/Logoff\ Audit Account Lockout : Another common security scenario occurs when a user attempts
to log on with an account that's been locked out. It's important to identify these events and to determine
whether the attempt to use an account that was locked out is malicious.
Logon/Logoff\ Audit Logoff and Logon/Logoff\ Audit Logon : Logon and logoff events are essential to
tracking user activity and detecting potential attacks. Logon events are related to the creation of logon
sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated
on the computer that was logged on to. For network logon, such as accessing a shared resource, events are
generated on the computer that hosts the resource that was accessed. Logoff events are generated when
logon sessions are terminated.
NOTE
There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't
generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off
without a proper logoff and shut down, so a logoff event isn't generated.
Logon/Logoff\ Audit Special Logon : A special logon has administrator-equivalent rights and can be used
to elevate a process to a higher level. It's recommended to track these types of logons.
Object Access\ Audit Cer tification Ser vices : This policy setting enables you to monitor activities on a
computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only
authorized users do these tasks and only authorized or desirable tasks are done.
Object Access\ Audit File System and Object Access\ Audit File Share : These policy settings are
described in the previous section.
Object Access\ Audit Handle Manipulation : This policy setting and its role in providing "reason for
access" audit data is described in the previous section.
Object Access\ Audit Registr y : Monitoring for changes to the registry is one of the best ways for
administrators to ensure that malicious users don't make changes to essential computer settings. Audit
events are only generated for objects that have configured SACLs and only if the type of access that's
requested, such as write, read, or modify, and the account making the request match the settings in the
SACL.
IMPORTANT
On critical systems where all attempts to change registry settings should be tracked, you can combine the Audit
Registr y and Global Object Access Auditing policy settings to track all attempts to modify registry settings on a
computer.
Object Access\ Audit SAM : The Security Accounts Manager (SAM) is a database on computers running
Windows that stores user accounts and security descriptors for users on the local computer. Changes to
user and group objects are tracked by the Account Management audit category. However, user accounts
with the proper user rights could potentially alter the files where the account and password information is
stored in the system, bypassing any Account Management events.
Privilege Use\ Audit Sensitive Privilege Use : These policy settings and audit events enable you to track
the use of certain rights on one or more systems. If you configure this policy setting, an audit event is
generated when sensitive rights requests are made.
Network activity
The following network activity policy settings enable you to monitor security-related issues that aren't necessarily
covered in the data or user-activity categories but that can be important for network status and protection.
Account Management : Use the policy settings in this category to track attempts to create, delete, or
modify user or computer accounts, security groups, or distribution groups. Monitoring these activities
complements the monitoring strategies you select in the User activity and Data and resource activity
sections.
Account Logon\ Audit Kerberos Authentication Ser vice and Account Logon\ Audit Kerberos
Ser vice Ticket Operations : Audit policy settings in the Account Logon category monitor activities that
relate to the use of domain account credentials. These policy settings complement the policy settings in the
Logon/Logoff category. The Audit Kerberos Authentication Ser vice policy setting enables you to
monitor the status of and potential threats to the Kerberos service. The Audit Kerberos Ser vice Ticket
Operations policy setting enables you to monitor the use of Kerberos service tickets.
NOTE
Account Logon policy settings apply only to specific domain account activities, regardless of which computer is
accessed. Logon/Logoff policy settings apply to the computer that hosts the resources that are accessed.
Account Logon\ Audit Other Account Logon Events : This policy setting can be used to track various
network activities, including attempts to create Remote Desktop connections, wired network connections,
and wireless connections.
DS Access : Policy settings in this category enable you to monitor AD DS role services. These services
provide account data, validate logons, maintain network access permissions, and provide other functionality
that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and
modify the configuration of a domain controller can help an organization maintain a secure and reliable
network. One of the key tasks that AD DS performs is replication of data between domain controllers.
Logon/Logoff\ Audit IPsec Extended Mode , Logon/Logoff\ Audit IPsec Main Mode , and
Logon/Logoff\ Audit IPsec Quick Mode : Networks often support many external users, including remote
employees and partners. Because these users are outside the organization's network boundaries, IPsec is
often used to help protect communications over the internet. It enables network-level peer authentication,
data origin authentication, data integrity checks, data confidentiality (encryption), and protection against
replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
Logon/Logoff\ Audit Network Policy Ser ver : Organizations that use RADIUS (IAS) and Network Access
Protection (NAP) to set and maintain security requirements for external users can use this policy setting to
monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these
protections.
Policy Change : These policy settings and events enable you to track changes to important security policies
on a local computer or network. Because policies are typically established by administrators to help secure
network resources, monitoring any changes or attempted changes to these policies can be an important
aspect of security management for a network.
Policy Change\ Audit Audit Policy Change : This policy setting allows you to monitor changes to the
audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable
essential security audit policy settings so that their other activities on the network can't be detected.
Policy Change\ Audit Filtering Platform Policy Change : This policy setting can be used to monitor a
variety of changes to an organization's IPsec policies.
Policy Change\ Audit MPSSVC Rule-Level Policy Change : This policy setting determines if the
operating system generates audit events when changes are made to policy rules for the Microsoft
Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are
important for understanding the security state of the computer and how well it's protected against network
attacks.
Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these
settings. For more information, see Which editions of Windows support advanced audit policy configuration.
The audit policy settings under Local Policies\Audit Policy overlap with the audit policy settings under Security
Settings\Advanced Audit Policy Configuration . However, the advanced audit policy categories and
subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit
data that's less important to your organization.
For example, Local Policies\Audit Policy contains a single setting called Audit account logon events . When
this setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under Security Settings\Advanced Audit Policy Configuration
provides the following advanced settings, which allow you to focus your auditing:
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events
These settings enable you to exercise much tighter control over which activities or events generate event data.
Some activities and events will be more important to your organization, so define the scope of your security audit
policy as narrowly as possible.
Success, failure, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when
the activity fails or succeeds or both successes and failures. This is an important question. The answer depends on
the criticality of the event and the implications of the decision for event volume.
For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only
when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or
malicious user. In this case, logging successful attempts to access the server would quickly fill the event log with
benign events.
But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so
that you have an audit trail of every user who tries to access the resource.
Applies to
Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing
security audit policies.
What is Windows security auditing and why might I want to use it?
What is the difference between audit policies located in Local Policies\Audit Policy and audit policies located in
Advanced Audit Policy Configuration?
What is the interaction between basic audit policy settings and advanced audit policy settings?
How are audit settings merged by Group Policy?
What is the difference between an object DACL and an object SACL?
Why are audit policies applied on a per-computer basis rather than per user?
What are the differences in auditing functionality between versions of Windows?
Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000
Server?
What is the difference between success and failure events? Is something wrong if I get a failure audit?
How can I set an audit policy that affects all objects on a computer?
How do I figure out why someone was able to access a resource?
How do I know when changes are made to access control settings, by whom, and what the changes were?
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
How can I monitor if changes are made to audit policy settings?
How can I minimize the number of events that are generated?
What are the best tools to model and manage audit policy?
Where can I find information about all the possible events that I might receive?
Where can I find more detailed information?
What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In
the Windows operating systems, security auditing is more narrowly defined as the features and services that
enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks.
Monitoring these events can provide valuable information to help administrators troubleshoot and investigate
security-related activities.
Impor tant Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not
use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under
Security Settings\Advanced Audit Policy Configuration . Using both advanced and basic audit policy
settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be
sure to enable the Audit: Force audit policy subcategor y settings (Windows Vista or later) to override
audit policy categor y settings policy setting under Local Policies\Security Options . This will prevent
conflicts between similar settings by forcing basic security auditing to be ignored.
Why are audit policies applied on a per-computer basis rather than per
user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary
recipients of actions by clients including applications, other computers, and users. In a security breach, malicious
users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users
to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer
and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows,
the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of
the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this
by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users
you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can
audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder
generates audit events.
How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a
system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing
are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have
to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced
in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access
auditing policies for the entire file system or for the registry on a computer. The specified SACL is then
automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and
registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a
file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object
access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or
folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity
matches either the file or folder SACL or the global object access auditing policy.
How can I roll back security audit policies from the advanced audit
policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you
subsequently change the advanced audit policy setting to Not configured , you need to complete the following
steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to Not configured .
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and
Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in
an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be
used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be
used to complete a number of important audit policy–related management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the
Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
Where can I find information about all the possible events that I might
receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit
events that are stored there (which can quickly number in the thousands) and by the structured information that is
included for each audit event. Additional information about these events, and the settings used to generate them,
can be obtained from the following resources:
Windows 8 and Windows Server 2012 Security Event Details
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
Advanced security audit policy settings
Applies to
Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows
Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. Windows editions that
cannot join a domain, such as Windows 10 Home edition, do not have access to these features.
How to get a list of XML data name elements in
EventData
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt:
The .events property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any).
For example:
PS C:\WINDOWS\system32> $SecEvents.events[100]
Id : 4734
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
PS C:\WINDOWS\system32> $SecEvents.events[100].Template
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Group:
Security ID: %3
Group Name: %1
Group Domain: %2
Additional Information:
Privileges: %8
For the Subject: Security Id: text element, it will use the fourth element in the Template, SubjectUserSid .
For Additional Information Privileges:, it would use the eighth element PrivilegeList .
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the
revision of the event schema and description. Most events have 1 version (all events have Version =0 like the
Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1,
2) depending on the OS version where the event is generated. Only the latest version is used for generating events
in the Security log. In any case, the Event Version where the Template is taken from should use the same Event
Version for the Description.
Using advanced security auditing options to monitor
dynamic access control objects
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible
through settings and events that were introduced in Windows 8 and Windows Server 2012.
These procedures can be deployed with the advanced security auditing capabilities described in Deploy Security
Auditing with Central Audit Policies (Demonstration Steps).
In this guide
Domain administrators can create and deploy expression-based security audit policies by using file classification
information (resource attributes), user claims, and device claims to target specific users and resources to monitor
potentially significant activities on one or more computers. These policies can be deployed centrally by using
Group Policy, or directly on a computer, in a folder, or in individual files.
In this section
TO P IC DESC RIP T IO N
Monitor the central access policies that apply on a file server This topic for the IT professional describes how to monitor
changes to the central access policies that apply to a file
server when using advanced security auditing options to
monitor dynamic access control objects. Central access
policies are created on a domain controller and then applied
to file servers through Group Policy management.
Monitor the use of removable storage devices This topic for the IT professional describes how to monitor
attempts to use removable storage devices to access network
resources. It describes how to use advanced security auditing
options to monitor dynamic access control objects.
Monitor resource attribute definitions This topic for the IT professional describes how to monitor
changes to resource attribute definitions when you are using
advanced security auditing options to monitor dynamic
access control objects.
Monitor central access policy and rule definitions This topic for the IT professional describes how to monitor
changes to central access policy and central access rule
definitions when you use advanced security auditing options
to monitor dynamic access control objects.
Monitor user and device claims during sign-in This topic for the IT professional describes how to monitor
user and device claims that are associated with a user’s
security token when you are using advanced security auditing
options to monitor dynamic access control objects.
TO P IC DESC RIP T IO N
Monitor the resource attributes on files and folders This topic for the IT professional describes how to monitor
attempts to change settings to the resource attributes on files
when you are using advanced security auditing options to
monitor dynamic access control objects.
Monitor the central access policies associated with files and This topic for the IT professional describes how to monitor
folders changes to the central access policies that are associated with
files and folders when you are using advanced security
auditing options to monitor dynamic access control objects.
Monitor claim types This topic for the IT professional describes how to monitor
changes to claim types that are associated with dynamic
access control when you are using advanced security auditing
options.
Impor tant: This procedure can be configured on computers running any of the supported Windows
operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic
access control deployment.
Related topics
Security auditing
Monitor the central access policies that apply on a file
server
2/6/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when
using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain
controller and then applied to file servers through Group Policy management.
Use the following procedures to configure and verify security auditing settings that are used to monitor changes to
the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic
access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in
your network, see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to central access policies
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools , and then select Group Policy Management .
3. In the console tree, select the flexible access Group Policy Object, and then select Edit .
4. Select Computer Configuration > Security Settings > Advanced Audit Policy Configuration > Policy
Change > Other Policy Change Events .
NOTE
This policy setting monitors policy changes that might not be captured otherwise, such as CAP changes or trusted platform
module configuration changes. 5. Select the Configure the following audit events check box, select the Success check
box (and the Failure check box, if desired), and then select OK .
After you modify the CAPs on the domain controller, verify that the changes have been applied to the file server
and that the proper events are logged.
To verify changes to the central access policies
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Group Policy Management Console.
3. Select Default domain policy , and then select Edit .
4. Select Computer Configuration > Policies , and then select Windows Settings .
5. Select Security Settings > File system , and then select Manage CAPs .
6. In the wizard that appears, follow the instructions to add a new CAP, and then select OK .
7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the CAPs you
changed.
8. Select the Windows logo key+R, and then type cmd to open a command prompt window.
NOTE
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select Yes .
9. Type gpupdate /force , and then select the Enter key. 10. In Server Manager, select Tools , and then select Event Viewer .
11. Expand Windows Logs , and then select Security . Verify that event 4819 appears in the security log.
Related resources
Using advanced security auditing options to monitor dynamic access control objects
Monitor the use of removable storage devices
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access
network resources. It describes how to use advanced security auditing options to monitor dynamic access control
objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a
resource to a removable storage device.
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are
being monitored.
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes .
Note: We do not recommend that you enable this category on a file server that hosts file shares on a
removable storage device. When Removable Storage Auditing is configured, any attempt to access the
removable storage device will generate an audit event.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor resource attribute definitions
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are
using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions
define the basic properties of resource attributes, such as what it means for a resource to be defined as “high
business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container.
Changes to these definitions could significantly change the protections that govern a resource, even if the resource
attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see Monitor the resource
attributes on files and folders.
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS
and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access
Control, including central access policies, claims, and other components, in your network. If you have not yet
deployed Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This article for IT professionals describes how to monitor changes to central access policy and central access rule
definitions when you use advanced security auditing options to monitor dynamic access control objects.
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to
monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions
reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active
Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in
AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for
potential changes in security auditing and to verify that policies are being enforced.
Follow the procedures in this article to configure settings to monitor changes to central access policy and central
access rule definitions and to verify the changes. These procedures assume that you've configured and deployed
Dynamic Access Control, including central access policies, claims, and other components, in your network. If you
haven't yet deployed Dynamic Access Control in your network, see Deploy a Central Access Policy (demonstration
steps).
NOTE
Your server might function differently based on the version and edition of the operating system that is installed, your account
permissions, and your menu settings.
Configure settings to monitor central access policy and rule definition changes
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools and select Group Policy Management .
3. In the console tree, right-click the default domain controller Group Policy Object, and then select Edit .
4. Double-click Computer Configuration and select Security Settings . Expand Advanced Audit Policy
Configuration and System Audit Policies , select DS Access , and then double-click Audit director y
ser vice changes .
5. Select the Configure the following audit events and Success check boxes (and the Failure check box, if
you want). Then select OK .
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click Central Access Policies , and then select Proper ties .
9. Select the Security tab, select Advanced to open the Advanced Security Settings dialog box, and then select
the Auditing tab.
10. Select Add , add a security auditing setting for the container, and then close all the security properties dialog
boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify
that the changes are being monitored.
Verify that central access policy and rule definition changes are monitored
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under Dynamic Access Control , right-click Central Access Policies , and then select Proper ties .
4. Select the Security tab, select Advanced to open the Advanced Security Settings dialog box, and then select
the Auditing tab.
5. Select Add , add a security auditing setting for the container, and then close all security properties dialog boxes.
6. In the Central Access Policies container, add a new central access policy (or select one that already exists).
Select Proper ties in the Tasks pane, and then change one or more attributes.
7. Select OK , and then close the Active Directory Administrative Center.
8. In Server Manager, select Tools and then Event Viewer .
9. Expand Windows Logs , and then select Security . Verify that event 4819 appears in the security log.
Related topics
Using advanced security auditing options to monitor dynamic access control objects
Monitor user and device claims during sign-in
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s
security token when you are using advanced security auditing options to monitor dynamic access control objects.
Device claims are associated with the system that is used to access resources that are protected with Dynamic
Access Control. User claims are attributes that are associated with a user. User claims and device claims are
included in the user’s security token used at sign-on. For example, information about Department, Company,
Project, or Security clearances might be included in the token.
Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and
to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control,
including central access policies, claims, and other components, in your network. If you have not yet deployed
Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
3. From a client computer, connect to a file share on the file server as a user who has access permissions to the
file server.
4. On the file server, open Event Viewer, expand Windows Logs , and select the Security log. Look for event
4626, and confirm that it contains information about user claims and device claims.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
Monitor the resource attributes on files and folders
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes
on files when you are using advanced security auditing options to monitor dynamic access control objects.
If your organization has a carefully thought out authorization configuration for resources, changes to these
resource attributes can create potential security risks. Examples include:
Changing files that have been marked as high business value to low business value.
Changing the Retention attribute of files that have been marked for retention.
Changing the Department attribute of files that are marked as belonging to a particular department.
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders.
These procedures assume that have configured and deployed central access policies in your network. For more
information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario
Overview .
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This article for IT professionals describes how to monitor changes to the central access policies that are associated
with files and folders when you're using advanced security auditing options to monitor dynamic access control
objects.
This security audit policy and the event that it records are generated when the central access policy that's associated
with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential
changes on some, but not all, files and folders on a file server.
For information about monitoring potential central access policy changes for an entire file server, see Monitor the
central access policies that apply on a file server.
Use the following procedures to configure settings to monitor central access policies that are associated with files.
These procedures assume that you have configured and deployed Dynamic Access Control in your network. For
more information about how to configure and deploy Dynamic Access Control, see Dynamic Access Control:
Scenario Overview.
NOTE
Your server might function differently based on the version and edition of the operating system that is installed, your account
permissions, and your menu settings.
To configure settings to monitor central access policies associated with files or folders
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools , and then select Group Policy Management .
3. In the console tree, right-click the flexible access Group Policy Object, and then select Edit .
4. Double-click Computer Configuration , double-click Security Settings , double-click Advanced Audit
Policy Configuration , double-click Policy Change , and then double-click Audit Authorization Policy
Change .
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then select OK .
6. Turn on auditing for a file or folder as described in the following procedure.
To turn on auditing for a file or folder
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that
you want to audit.
2. Right-click the file or folder, select Proper ties , and then select the Security tab.
3. Select Advanced , select the Auditing tab, and then select Continue .
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then
select Yes .
4. Select Add , select Select a principal , type a user name or group name in the format contoso\user1 , and
then select OK .
5. In the Auditing Entr y for dialog box, select the permissions that you want to audit, such as Full Control
or Delete .
6. To complete the configuration of the object SACL, select OK four times.
7. Open a File Explorer window, and then select or create a file or folder to audit.
8. Open an elevated command prompt, and then run the following command:
gpupdate /force
After you configure settings to monitor changes to the central access policies that are associated with files and
folders, verify that the changes are being monitored.
To verify that changes to central access policies associated with files and folders are monitored
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that
you want to audit.
2. Open a File Explorer window, and then select the file or folder that you configured for auditing in the
previous procedure.
3. Right-click the file or folder, select Proper ties , select the Security tab, and then select Advanced .
4. Select the Central Policy tab, select Change , select a different central access policy (if one is available) or
select No Central Access Policy , and then select OK twice.
NOTE
You must select a setting that is different than your original setting to generate the audit event.
Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic
access control when you are using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such
as the departments in an organization or the levels of security clearance that apply to classes of users. You can use
security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures
assume that you have configured and deployed Dynamic Access Control, including central access policies, claims,
and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see
Deploy a Central Access Policy (Demonstration Steps).
Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.
Applies to
Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are
available in Windows and the audit events that they generate.
The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help
your organization audit compliance with important business-related and security-related rules by tracking
precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry key on a computer
or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local
computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive
number of log entries. In addition, because security audit policies can be applied by using domain Group Policy
Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity. Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available
in the following categories:
Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a
domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and
events, which track attempts to access a particular computer, settings and events in this category focus on the
account database that is used. This category includes the following subcategories:
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Logon/Logoff Events
Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts
and groups. This category includes the following subcategories:
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual
applications and users on that computer, and to understand how a computer is being used. This category includes
the following subcategories:
Audit DPAPI Activity
Audit PNP activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Credential Validation
Audit Token Right Adjusted
DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in
Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This
category includes the following subcategories:
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer
interactively or over a network. These events are particularly useful for tracking user activity and identifying
potential attacks on network resources. This category includes the following subcategories:
Audit Account Lockout
Audit User/Device Claims
Audit IPsec Extended Mode
Audit Group Membership
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of
objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object,
you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For
example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory
needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify
that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.
This category includes the following subcategories:
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network.
Because policies are typically established by administrators to help secure network resources, monitoring changes
or attempts to change these policies can be an important aspect of security management for a network. This
category includes the following subcategories:
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security
policy settings and audit events allow you to track the use of certain permissions on one or more systems. This
category includes the following subcategories:
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events
System
System security policy settings and audit events allow you to track system-level changes to a computer that are
not included in other categories and that have potential security implications. This category includes the following
subcategories:
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Note: If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting
SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is
derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that
an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing
policy.
Applies to
Windows 10
Windows Server 2016
Audit Credential Validation determines whether the operating system generates audit events on credentials that
are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.
Event volume :
High on domain controllers.
Low on member servers and workstations.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of
the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the
domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on
separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for
domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts,
to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
Events List:
4774(S, F): An account was mapped for logon.
4775(F): An account could not be mapped for logon.
4776(S, F): The computer attempted to validate the credentials for an account.
4777(F): The domain controller failed to validate the credentials for an account.
4774(S, F): An account was mapped for logon.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Success events do not appear to occur. Failure event has been reported.
Subcategor y: Audit Credential Validation
Event Schema:
An account was mapped for logon.
Authentication Package:Schannel
Account UPN:<Acccount>@<Domain>
Mapped Name:<Account>
Required Ser ver Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategor y: Audit Credential Validation
Event Schema:
An account could not be mapped for logon.
Authentication Package:%1
Account Name:%2
Required Ser ver Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Credential Validation
Event Description:
This event generates every time that a
credential validation occurs using NTLM
authentication.
This event occurs only on the computer that
is authoritative for the provided credentials.
For domain accounts, the domain controller
is authoritative. For local accounts, the local
computer is authoritative.
It shows successful and unsuccessful
credential validation attempts.
It shows only the computer name (Source Workstation ) from which the authentication attempt was performed
(authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you
will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not
presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to
“0x0 ”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain
accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged
on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>
Note Authentication package is a DLL that encapsulates the authentication logic used to determine
whether to permit a user to log on. Local Security Authority (LSA) authenticates a user logon by sending the
request to an authentication package. The authentication package then examines the logon information and
either authenticates or rejects the user logon attempt.
Logon Account [Type = UnicodeString]: the name of the account that had its credentials validated by the
Authentication Package . Can be user name, computer account name or well-known security principal
account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Source Workstation [Type = UnicodeString]: the name of the computer from which the logon attempt
originated.
Error Code [Type = HexInt32]: contains error code for Failure events. For Success events this parameter has
“0x0 ” value. The table below contains most common error codes for this event:
ERRO R C O DE DESC RIP T IO N
0xC0000064 The username you typed does not exist. Bad username.
0xc0000371 The local account store does not contain secret material for
the specified account.
0x0 No errors.
High-value accounts : You might have high-value domain Monitor this event with the “Logon Account” that
or local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Logon Account” value (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours. To monitor activity of specific user accounts outside of working
hours, monitor the appropriate Logon Account + Source
Workstation pairs.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Logon Account” that should
or guest accounts, or other accounts that should never be never be used.
used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Logon Account” for accounts that are outside the
corresponding to particular events. whitelist.
Restricted-use computers : You might have certain Monitor the target Source Workstation for credential
computers from which certain people (accounts) should not validation requests from the “Logon Account” that you are
log on. concerned about.
Account naming conventions : Your organization might Monitor “Logon Account” for names that don’t comply with
have specific naming conventions for account names. naming conventions.
If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that
local logon will always use NTLM authentication if an account logs on to a device where its user account is
stored.
You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that
local logon will always use NTLM authentication if the account logs on to a device where its user account is
stored.
If a local account should be used only locally (for example, network logon or terminal services logon is not
allowed), you need to monitor for all events where Source Workstation and Computer (where the event
was generated and where the credentials are stored) have different values.
Consider tracking the following errors for the reasons listed:
User logon with misspelled or bad user account For example, N events in the last N minutes can be an
indicator of an account enumeration attack, especially relevant
for highly critical accounts.
User logon with misspelled or bad password For example, N events in the last N minutes can be an
indicator of a brute-force password attack, especially relevant
for highly critical accounts.
User logon outside authorized hours Can indicate a compromised account; especially relevant for
highly critical accounts.
User logon from unauthorized workstation Can indicate a compromised account; especially relevant for
highly critical accounts.
User logon to account disabled by administrator For example, N events in last N minutes can be an indicator of
an account compromise attempt, especially relevant for highly
critical accounts.
User logon with expired account Can indicate an account compromise attempt; especially
relevant for highly critical accounts.
User logon with account locked Can indicate a brute-force password attack; especially relevant
for highly critical accounts.
4777(F): The domain controller failed to validate the
credentials for an account.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4776
failure event is generated instead.
Subcategor y: Audit Credential Validation
Audit Kerberos Authentication Service
12/20/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication
ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume : High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed
Pre-Authentications, due to wrong user password or when the user’s password has expired.
Events List:
4768(S, F): A Kerberos authentication ticket (TGT) was requested.
4771(F): Kerberos pre-authentication failed.
4772(F): A Kerberos authentication ticket request failed.
4768(S, F): A Kerberos authentication ticket (TGT)
was requested.
7/8/2019 • 26 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Kerberos
Authentication Service
Event Description:
This event generates every
time Key Distribution Center
issues a Kerberos Ticket
Granting Ticket (TGT).
This event generates only on
domain controllers.
If TGT issue fails then you will
see Failure event with Result
Code field not equal to “0x0 ”.
This event doesn't generate
for Result Codes : 0x10, 0x17
and 0x18. Event “4771:
Kerberos pre-authentication
failed.” generates instead.
Note For
recommendations, see
Security Monitoring
Recommendations for this
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />
<EventRecordID>166747</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>
Note A Kerberos Realm is a set of managed nodes that share the same Kerberos database. The Kerberos
database resides on the Kerberos master computer system, which should be kept in a physically secure room.
Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
User ID [Type = SID]: SID of account for which (TGT) ticket was requested. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.
NULL SID – this value shows in 4768 Failure events.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
B IT FLAG NAME DESC RIP T IO N
28 Enc-tkt-in-skey No information.
29 Unused -
Result Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue
error codes.” contains the list of the most common error codes for this event.
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
0x7 KDC_ERR_S_PRINCIPAL_UNK Server not found in This error can occur if the
NOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0xA KDC_ERR_CANNOT_POSTDA Ticket (TGT) not eligible for This error can occur if a
TE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0x10 KDC_ERR_PADATA_TYPE_NO KDC has no support for Smart card logon is being
SUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because
the wrong certification
authority (CA) is being
queried or the proper CA
cannot be contacted.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it
SHOULD cache the old
PKCROSS keys until the last
issued PKCROSS ticket
expires. Otherwise, the
remote KDC will respond to
a client with a KRB-ERROR
message of type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
Ticket Encr yption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.
## Table 4. Kerberos encryption types
Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Authentication type which was
used in TGT request.
## Table 5. Kerberos Pre-Authentication types.
High-value accounts : You might have high-value domain Monitor this event with the “User ID” that corresponds to
or local accounts for which you need to monitor each action. the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “User ID” (with other information) to monitor how or when
malicious actions. For example, you might need to monitor a particular account is being used.
for use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “User ID” that corresponds to
or guest accounts, or other accounts that should never be the accounts that should never be used.
used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “User ID” for accounts that are outside the whitelist.
corresponding to particular events.
External accounts : You might be monitoring accounts from Monitor this event for the “Supplied Realm Name”
another domain, or “external” accounts that are not allowed corresponding to another domain or “external” location.
to perform certain actions (represented by certain specific
events).
Account naming conventions : Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
You can track all 4768 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4768 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address = ::1
and Account Name is not allowed to log on to any domain controller.
All 4768 events with Client Por t field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also consider monitoring the fields shown in the following table, to discover the issues listed:
Cer tificate Issuer Name Certification authority name is not from your PKI
infrastructure.
Cer tificate Issuer Name Certification authority name is not authorized to issue smart
card authentication certificates.
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.
Ticket Encr yption Type Value is 0x1 or 0x3 , which means the DES algorithm was
used. DES should not be in use, because of low security and
known vulnerabilities. It is disabled by default starting from
Windows 7 and Windows Server 2008 R2. For more
information, see Table 4. Kerberos encryption types.
Ticket Encr yption Type Starting with Windows Vista and Windows Server 2008,
monitor for values other than 0x11 and 0x12 . These are
the expected values, starting with these operating systems,
and represent AES-family algorithms. For more information,
see Table 4. Kerberos encryption types.
Result Code 0x6 (The username doesn't exist), if you see, for example N
events in last N minutes. This can be an indicator of account
enumeration attack, especially for highly critical accounts.
Result Code 0x7 (Server not found in Kerberos database). This error can
occur if the domain controller cannot find the server's name
in Active Directory.
Result Code 0x8 (Multiple principal entries in KDC database). This will help
you to find duplicate SPNs faster.
Result Code 0x9 (The client or server has a null key (master key)). This
error can help you to identify problems with Kerberos
authentication faster.
Result Code 0xA (Ticket (TGT) not eligible for postdating). Microsoft
systems should not request postdated tickets. These events
could help identify anomaly activity.
Result Code 0xC (Requested start time is later than end time), if you see,
for example N events in last N minutes. This can be an
indicator of an account compromise attempt, especially for
highly critical accounts.
F IEL D ISSUE TO DISC O VER
Result Code 0xE (KDC has no support for encryption type). In general,
this error occurs when the KDC or a client receives a packet
that it cannot decrypt. Monitor for these events because this
should not happen in a standard Active Directory
environment.
Result Code 0xF (KDC has no support for checksum type). Monitor for
these events because this should not happen in a standard
Active Directory environment.
Result Code 0x12 (Client's credentials have been revoked), if you see, for
example N events in last N minutes. This can be an indicator
of anomaly activity or brute-force attack, especially for highly
critical accounts.
Result Code 0x22 (The request is a replay). This error indicates that a
specific authenticator showed up twice—the KDC has
detected that this session ticket duplicates one that it has
already received. It could be a sign of attack attempt.
Result Code 0x29 (Message stream modified and checksum didn't match).
The authentication data was encrypted with the wrong key
for the intended server. The authentication data was modified
in transit by a hardware or software error, or by an attacker.
Monitor for these events because this should not happen in a
standard Active Directory environment.
Result Code 0x3C (Generic error). This error can help you more quickly
identify problems with Kerberos authentication.
Result Code 0x3E (The client trust failed or is not implemented). This error
helps you identify logon attempts with revoked certificates
and the situations when the root Certification Authority that
issued the smart card certificate (through a chain) is not
trusted by a domain controller.
Result Code 0x3F , 0x40 , 0x41 errors. These errors can help you more
quickly identify smart-card related problems with Kerberos
authentication.
4771(F): Kerberos pre-authentication failed.
1/13/2020 • 10 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Kerberos
Authentication Service
Event Description:
This event generates every time the
Key Distribution Center fails to issue a
Kerberos Ticket Granting Ticket (TGT).
This can occur when a domain
controller doesn’t have a certificate
installed for smart card authentication
(for example, with a “Domain
Controller” or “Domain Controller
Authentication” template), the user’s
password has expired, or the wrong
password was provided.
This event generates only on domain
controllers.
This event is not generated if “Do not
require Kerberos preauthentication”
option is set for the account.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name: [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Computer account example: WIN81$
Ser vice Information:
Ser vice Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has one of the following formats:
krbtgt/DOMAIN_NETBIOS_NAME. Example: krbtgt/CONTOSO
krbtgt/DOMAIN_FULL_NAME. Example: krbtgt/CONTOSO.LOCAL
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff :IPv4_address .
::1 - localhost.
Client Por t [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional Information:
Ticket Options : [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
28 Enc-tkt-in-skey No information.
29 Unused -
B IT FLAG NAME DESC RIP T IO N
Failure Code [Type = HexInt32]: hexadecimal failure code of failed TGT issue operation. The table below
contains the list of the most common error codes for this event:
0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be
located. This can happen
because the wrong
certification authority (CA) is
being queried or the proper
CA cannot be contacted in
order to get Domain
Controller or Domain
Controller Authentication
certificates for the domain
controller.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
Pre-Authentication Type [Type = UnicodeString]: the code of pre-Authentication type which was used in
TGT request.
## Table 5. Kerberos Pre-Authentication types.
TYPE T YPE NAME DESC RIP T IO N
High-value accounts : You might have high-value domain Monitor this event with the “Security ID” that corresponds
or local accounts for which you need to monitor each action. to the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account, domain
administrators, service accounts, domain controller accounts
and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Security ID” (with other information) to monitor how
potential malicious actions. For example, you might need to or when a particular account is being used.
monitor for use of an account outside of working hours.
Non-active accounts : You might have non-active, Monitor this event with the “Security ID” that corresponds
disabled, or guest accounts, or other accounts that should to the accounts that should never be used.
never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Security ID” for accounts that are outside the whitelist.
corresponding to particular events.
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
You can track all 4771 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4771 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the domain controllers, then you need to monitor for all possible violations, where Client Address =
::1 and Account Name is not allowed to log on to any domain controller.
All 4771 events with Client Por t field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also monitor the fields shown in the following table, to discover the issues listed:
Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.
F IEL D ISSUE TO DISC O VER
Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.
Result Code 0x10 (KDC has no support for PADATA type (pre-
authentication data)). This error can help you to more quickly
identify smart-card related problems with Kerberos
authentication.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4768
failure event is generated instead.
Subcategor y: Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit
events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network
resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume : Very High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGSs and failed TGS requests.
IF - We
recommend
Success auditing,
because you will
see all Kerberos
Service Ticket
requests (TGS
requests), which
are part of
service use and
access requests
by specific
accounts. Also,
you can see the
IP address from
which this
account
requested TGS,
when TGS was
requested, which
encryption type
was used, and so
on. For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendati
ons sections.
We recommend
Failure auditing,
because you will
see all failed
requests and be
able to
investigate the
reason for failure.
You will also be
able to detect
Kerberos issues
or possible attack
attempts.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Kerberos
Service Ticket Operations
Event Description:
This event generates every time Key
Distribution Center gets a Kerberos
Ticket Granting Service (TGS) ticket
request.
This event generates only on domain
controllers.
If TGS issue fails then you will see
Failure event with Failure Code
field not equal to “0x0 ”.
You will typically see many Failure
events with Failure Code “0x20 ”,
which simply means that a TGS ticket
has expired. These are informational
messages and have little to no
security relevance.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>
Note Although this field is in the UPN format, this is not the attribute value of
"UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built
from the user SamAccountName and the Active Directory domain name.
This parameter in this event is optional and can be empty in some cases.
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
This parameter in this event is optional and can be empty in some cases.
Logon GUID [Type = GUID]: a GUID that can help you correlate this event (on a domain controller) with
other events (on the target computer for which the TGS was issued) that can contain the same Logon
GUID . These events are “4624: An account was successfully logged on”, “4648(S): A logon was attempted
using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff :IPv4_address .
::1 - localhost.
Client Por t [Type = UnicodeString]: source port number of client network connection (TGS request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options : [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
B IT FLAG NAME DESC RIP T IO N
28 Enc-tkt-in-skey No information.
29 Unused -
Ticket Encr yption Type : [Type = HexInt32]: the cryptographic suite that was used for issued TGS.
TYPE T YPE NAME DESC RIP T IO N
Failure Code [Type = HexInt32]: hexadecimal result code of TGS issue operation. The table below contains the
list of the most common error codes for this event:
0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0x7 KDC_ERR_S_PRINCIPAL_UNK Server not found in This error can occur if the
NOWN Kerberos database domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.
0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
0xA KDC_ERR_CANNOT_POSTDA Ticket (TGT) not eligible for This error can occur if a
TE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.
0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
0x10 KDC_ERR_PADATA_TYPE_NO KDC has no support for Smart card logon is being
SUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because the
wrong certification authority
(CA) is being queried or the
proper CA cannot be
contacted.
It can also happen when a
domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it SHOULD
cache the old PKCROSS keys
until the last issued
PKCROSS ticket expires.
Otherwise, the remote KDC
will respond to a client with
a KRB-ERROR message of
type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.
0x1B KDC_ERR_MUST_USE_USER2 Server principal valid for This error occurs because
USER user2user only the service is missing an
SPN.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.
0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the domain
controller.
C O DE C O DE N A M E DESC RIP T IO N P O SSIB L E C A USES
0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.
Transited Ser vices [Type = UnicodeString]: this field contains list of SPNs which were requested if Kerberos
delegation was used.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
High-value accounts : You might have high-value domain Monitor this event with the “Account
or local accounts for which you need to monitor each action. Information\Account Name” that corresponds to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Account Information\Account Name” (with other
malicious actions. For example, you might need to monitor information) to monitor how or when a particular account is
for use of an account outside of working hours. being used.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Account
or guest accounts, or other accounts that should never be Information\Account Name” that corresponds to the
used. accounts that should never be used.
External accounts : You might be monitoring accounts from Monitor this event for the “Account Information\Account
another domain, or “external” accounts that are not allowed Domain” corresponding to another domain or “external”
to perform certain actions (represented by certain specific location.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Account Information\Account
people (accounts) should not typically perform any actions. Name” that you are concerned about.
Account naming conventions : Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.
If you know that Account Name should never request any tickets for (that is, never get access to) a
particular computer account or service account, monitor for 4769 events with the corresponding Account
Name and Ser vice ID fields.
You can track all 4769 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be able to request tickets (should be used) only from a known
whitelist of IP addresses, track all Client Address values for this Account Name in 4769 events. If Client
Address is not from your whitelist of IP addresses, generate the alert.
All Client Address = ::1 means local TGS requests, which means that the Account Name logged on to a
domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to
domain controllers, monitor events with Client Address = ::1 and any Account Name outside the
whitelist.
All 4769 events with Client Por t field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Monitor for a Ticket Encr yption Type of 0x1 or 0x3 , which means the DES algorithm was used. DES
should not be in use, because of low security and known vulnerabilities. It is disabled by default starting
from Windows 7 and Windows Server 2008 R2.
Starting with Windows Vista and Windows Server 2008, monitor for a Ticket Encr yption Type other than
0x11 and 0x12 . These are the expected values, starting with these operating systems, and represent AES-
family algorithms.
If you have a list of important Failure Codes , monitor for these codes.
4770(S): A Kerberos service ticket was renewed.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Kerberos Service Ticket
Operations
Event Description:
This event generates for every Ticket Granting
Service (TGS) ticket renewal.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4770</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T03:26:23.466552900Z" />
<EventRecordID>166481</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN2008R2$@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x2</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49964</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS renewal request
was received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff :IPv4_address .
::1 - localhost.
Client Por t [Type = UnicodeString]: source port number of client network connection (TGS renewal request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options : [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize,
Renewable-ok.
Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.
0 Reserved -
16-25 Unused -
28 Enc-tkt-in-skey No information.
29 Unused -
Ticket Encr yption Type : [Type = HexInt32]: the cryptographic suite that was used in renewed TGS.
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4769
failure event is generated instead.
Subcategor y: Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
12/24/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
General Subcategor y Information:
This auditing subcategory does not contain any events. It is intended for future use.
Applies to
Windows 10
Windows Server 2016
Audit Application Group Management generates events for actions related to application groups, such as group
creation, modification, addition or removal of group member and some other actions.
Application groups are used by Authorization Manager.
Audit Application Group Management subcategory is out of scope of this document, because Authorization
Manager is very rarely in use and it is deprecated starting from Windows Server 2012.
Applies to
Windows 10
Windows Server 2016
Audit Computer Account Management determines whether the operating system generates audit events when a
computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
Event volume : Low on domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a computer
account is created, changed, or deleted.
Events List:
4741(S): A computer account was created.
4742(S): A computer account was changed.
4743(S): A computer account was deleted.
4741(S): A computer account was created.
6/6/2019 • 25 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Computer Account
Management
Event Description:
This event generates every time a new
computer object is created.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4741</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-12T18:41:39.201898100Z" />
<EventRecordID>170254</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1096" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xc88b2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">WIN81$</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">8/12/2015 11:41:39 AM</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">515</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x80</Data>
<Data Name="UserAccountControl">%%2087</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
<Data Name="DnsHostName">Win81.contoso.local</Data>
<Data Name="ServicePrincipalNames">HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81
RestrictedKrbHost/WIN81</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Computer Account:
Security ID [Type = SID]: SID of created computer account. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was created. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of created computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new computer object. For example: WIN81$.
Display Name [Type = UnicodeString]: the value of displayName attribute of new computer object. It is a
name displayed in the address book for a particular account (typically – user account). This is usually the
combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or through
a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new computer object. For computer objects, it is
optional, and typically is not set. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. This parameter might not be captured in the event, and in that
case appears as “-”.
Home Director y [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirector y should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirector y attribute of new computer
object. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirector y account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new computer object. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”.
Script Path [Type = UnicodeString]: specifies the path of the account's logon script. This parameter contains
the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is
not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new
computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. This parameter contains the value of
userWorkstations attribute of new computer object. For computer objects, it is optional, and typically is
not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created computer account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>” . For computer account created during standard domain join procedure this field will contains
time when computer object was created, because password creates during domain join procedure. For
example: 8/12/2015 11:41:39 AM. This parameter contains the value of pwdLastSet attribute of new
computer object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new computer object. For computer objects, it is optional, and typically
is not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Primar y Group ID [Type = UnicodeString]: Relative Identifier (RID) of computer’s object primary group.
Note Relative identifier (RID) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a
domain.
Typically, Primar y Group field for new computer accounts has the following values:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).
515 (Domain Computers) – for member servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primar yGroupID attribute of new computer object.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of computer account. Typically it is set to “-“ for new computer objects. This parameter contains the value of
AllowedToDelegateTo attribute of new computer object. See description of AllowedToDelegateTo field for
“4742: A computer account was changed” event for more details.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use
for authentication. For example, an SPN always includes the name of the host computer on which the service
instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script,
and other behavior for the user or computer account. Old UAC value always “0x0” for new computer
accounts. This parameter contains the previous value of userAccountControl attribute of computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the value of
userAccountControl attribute of new computer object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new computer accounts, when the object for this account was
created, the userAccountControl value was considered to be “0x0” , and then it was changed from “0x0” to
the real value for the account's userAccountControl attribute. See possible values in the table below. In the
“User Account Control field text” column, you can see the text that will be displayed in the User Account
Control field in 4741 event.
USERA C C O UN TC O N T
RO L IN USERA C C O UN TC O N T USER A C C O UN T
FLAG NAME H EXA DEC IM A L RO L IN DEC IM A L DESC RIP T IO N C O N T RO L F IEL D T EXT
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
USERA C C O UN TC O N T
RO L IN USERA C C O UN TC O N T USER A C C O UN T
FLAG NAME H EXA DEC IM A L RO L IN DEC IM A L DESC RIP T IO N C O N T RO L F IEL D T EXT
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field in “4742(S): A computer account was changed.” This parameter
might not be captured in the event, and in that case appears as “-”.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. This parameter contains the
value of sIDHistor y attribute of new computer object. This parameter might not be captured in the event,
and in that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set.
You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. You will see <value not set> value for new created computer accounts in event 4741.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. The value of
dNSHostName attribute of new computer object. For manually created computer account objects this field
has value “- “.
Ser vice Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. For
new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of
ser vicePrincipalName attribute of new computer object. For manually created computer objects it is
typically equals “- “. This is an example of Ser vice Principal Names field for new domain joined
workstation:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for example,
SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full
list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
If your information security monitoring policy requires you to monitor computer account creation, monitor
this event.
Consider whether to track the following fields and values:
F IEL D A N D VA L UE TO T RA C K REA SO N TO T RA C K
SAM Account Name : empty or - This field must contain the computer account name. If it is
empty or - , it might indicate an anomaly.
Display Name is not - Typically these fields are - for new computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Director y is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
AllowedToDelegateTo is not -
Password Last Set is <never> This typically means this is a manually created computer
account, which you might need to monitor.
Account Expires is not <never> Typically this field is <never> for new computer accounts.
Other values might indicate an anomaly and should be
monitored.
Primar y Group ID is any value other than 515. Typically, the Primar y Group ID value is one of the following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
If the Primar y Group ID is 516 or 521, it is a new domain
controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and
should be monitored.
Old UAC Value is not 0x0 Typically this field is 0x0 for new computer accounts. Other
values might indicate an anomaly and should be monitored.
SID Histor y is not - This field will always be set to - unless the account was
migrated from another domain.
Logon Hours value other than <value not set> This should always be <value not set> for new computer
accounts.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Encr ypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
'Ser ver Trust Account' – Enabled Should be enabled only for domain controllers.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Don't Expire Password' – Enabled Should not be enabled for new computer accounts, because
the password automatically changes every 30 days by default.
For computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Smar tcard Required' – Enabled Should not be enabled for new computer accounts.
'Trusted For Delegation' – Enabled Should not be enabled for new member servers and
workstations. It is enabled by default for new domain
controllers.
'Not Delegated' – Enabled Should not be enabled for new computer accounts.
'Use DES Key Only' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Don't Require Preauth' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.
'Trusted To Authenticate For Delegation' – Enabled Should not be enabled for new computer accounts by default.
4742(S): A computer account was changed.
8/10/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Computer Account
Management
Event Description:
This event generates every time a computer
object is changed.
This event generates only on domain
controllers.
You might see the same values for
Subject \Security ID and Computer
Account That Was Changed \Security ID in
this event. This usually happens when you
reboot a computer after adding it to the
domain (the change takes effect after the
reboot).
For each change, a separate 4742 event will be
generated.
Some changes do not invoke a 4742 event, for
example, changes made using Active Directory
Users and Computers management console in
Managed By tab in computer account
properties.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not listed
in the event. In this case there is no way to
determine which attribute was changed. For
example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if the
discretionary access control list (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
Impor tant : If you manually change any user-related setting or attribute, for example if you set the
SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType of
the computer account will be changed to NORMAL_USER_ACCOUNT and you will get “4738: A user account was
changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user
account. For NORMAL_USER_ACCOUNT you will always get events from Audit User Account Management
subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer
objects.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4742</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" />
<EventRecordID>171754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ComputerAccountChange">-</Data>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2e80c</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">%%1793</Data>
<Data Name="OldUacValue">0x80</Data>
<Data Name="NewUacValue">0x2080</Data>
<Data Name="UserAccountControl">%%2093</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
<Data Name="DnsHostName">-</Data>
<Data Name="ServicePrincipalNames">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Computer Account That Was Changed:
Security ID [Type = SID]: SID of changed computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was changed. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of changed computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Changed Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of computer object was changed, you will see the new value here. For example: WIN8$.
Display Name [Type = UnicodeString]: it is a name displayed in the address book for a particular account
(typically – user account). This is usually the combination of the user's first name, middle initial, and last
name. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. If the value of displayName
attribute of computer object was changed, you will see the new value here.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of computer object was changed, you will see the new value here. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Director y [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirector y should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. If the value of homeDirector y attribute of computer object was changed, you
will see the new value here. For computer objects, it is optional, and typically is not set. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirector y account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of computer object was changed, you will see the new
value here. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. If the value of profilePath attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of
computer object was changed, you will see the new value here. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or through
a script, for example.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of computer object was changed, you will see the new value here. For example:
8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset
action or automatically every 30 days by default for computer objects.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Primar y Group ID [Type = UnicodeString]: Relative Identifier (RID) of computer’s object primary group.
Note Relative identifier (RID) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a
domain.
This field will contain some value if computer’s object primary group was changed. You can change computer’s
primary group using Active Directory Users and Computers management console in the Member Of tab of
computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain
Computers) for workstations, is a default primary group.
Typical Primar y Group values for computer accounts:
516 (Domain Controllers) – for domain controllers.
521 (Read-only Domain Controllers) – read-only domain controllers (RODC).
515 (Domain Computers) – servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primar yGroupID attribute of computer object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console in
Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was
changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list
instead of changes) of this event. This is an example of AllowedToDelegateTo :
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS-AllowedToDelegateTo attribute of computer object was changed, you will see
the new value here.
The value can be <value not set> , for example, if delegation was disabled.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the previous value of
userAccountControl attribute of computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. If the value of userAccountControl attribute
of computer object was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account
UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the User
Account Control field in 4742 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. If the value of sIDHistor y
attribute of computer object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the value
of logonHours attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. If the value of
dNSHostName attribute of computer object was changed, you will see the new value here.
Ser vice Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. If the
SPN list of a computer account changed, you will see the new SPN list in Ser vice Principal Names field
(note that you will see the new list instead of changes). If the value of ser vicePrincipalName attribute of
computer object was changed, you will see the new value here.
Here is an example of Ser vice Principal Names field for new domain joined workstation in event 4742 on
domain controller, after workstation reboots:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
TERMSRV/Win81.contoso.local
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Security Monitoring Recommendations
For 4742(S): A computer account was changed.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each change, monitor this event with the
“Computer Account That Was Changed\Security ID” that corresponds to the high-value account or
accounts.
If you have computer accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was
changed.
Consider whether to track the following fields and values:
F IEL D A N D VA L UE TO T RA C K REA SO N TO T RA C K
Display Name is not - Typically these fields are - for computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Director y is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
Account Expires is not -
Logon Hours is not -
Password Last Set changes occur more often than usual Changes that are more frequent than the default (typically
once a month) might indicate an anomaly or attack.
Primar y Group ID is not 516, 521, or 515 Typically, the Primar y Group ID value is one of the
following:
516 for domain controllers
521 for read only domain controllers (RODCs)
515 for servers and workstations (domain computers)
Other values should be monitored.
For computer accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: computers that previously had a services list (on the
AllowedToDelegateTo is marked <value not set> Delegation tab), it means the list was cleared.
SID Histor y is not - This field will always be set to - unless the account was
migrated from another domain.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Password Not Required' – Enabled Should not be set for computer accounts. Computer accounts
typically require a password by default, except manually
created computer objects.
'Encr ypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Ser ver Trust Account' – Enabled Should be enabled only for domain controllers.
'Ser ver Trust Account' – Disabled Should not be disabled for domain controllers.
'Don't Expire Password' – Enabled Should not be enabled for computer accounts, because the
password automatically changes every 30 days by default. For
computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.
'Smar tcard Required' – Enabled Should not be enabled for computer accounts.
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for the
computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for the
computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.
'Use DES Key Only' – Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.
'Don't Require Preauth' - Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.
4743(S): A computer account was deleted.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Computer
Account Management
Event Description:
This event generates every time a
computer object is deleted.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4743</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T15:57:08.104214100Z" />
<EventRecordID>172103</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">COMPUTERACCOUNT$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6118</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Computer :
Security ID [Type = SID]: SID of deleted computer account. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was deleted. For example:
WIN81$
Account Domain [Type = UnicodeString]: domain name of deleted computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for example,
SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full
list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical domain computer accounts (database servers, domain controllers, administration
workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with
the “Target Computer\Security ID” or “Target Computer\Account Name ” that corresponds to the high-
value account or accounts.
Audit Distribution Group Management
12/23/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for
specific distribution-group management tasks.
This subcategory generates events only on domain controllers.
Event volume : Low on domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
Distribution group is created, changed, or deleted.
Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.” “Audit
Security Group Management” subcategory success auditing must be enabled.
Domain IF No IF No IF - Typically,
Controller actions related to
distribution
groups have low
security
relevance. It is
much more
important to
monitor Security
Group changes.
However, if you
want to monitor
for critical
distribution
groups changes,
such as if a
member was
added to internal
critical
distribution
group
(executives,
administrative
group, for
example), you
need to enable
this subcategory
for Success
auditing.
Typically, volume
of these events is
low on domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4749(S): A security-disabled global group was created.
4750(S): A security-disabled global group was changed.
4751(S): A member was added to a security-disabled global group.
4752(S): A member was removed from a security-disabled global group.
4753(S): A security-disabled global group was deleted.
4759(S): A security-disabled universal group was created. See event 4749: A security-disabled global group
was created. Event 4759 is the same, except it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4760(S): A security-disabled universal group was changed. See event 4750: A security-disabled global
group was changed. Event 4760 is the same, except it is generated for a universal distribution group
instead of a global distribution group. All event fields, XML, and recommendations are the same. The type
of group is the only difference.
4761(S): A member was added to a security-disabled universal group. See event 4751: A member was
added to a security-disabled global group. Event 4761 is the same, except it is generated for a universal
distribution group instead of a global distribution group. All event fields, XML, and recommendations are
the same. The type of group is the only difference.
4762(S): A member was removed from a security-disabled universal group. See event 4752: A member was
removed from a security-disabled global group. Event 4762 is the same, except it is generated for a
universal distribution group instead of a global distribution group. All event fields, XML, and
recommendations are the same. The type of group is the only difference.
4763(S): A security-disabled universal group was deleted. See event 4753: A security-disabled global group
was deleted. Event 4763 is the same, except it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4744(S): A security-disabled local group was created. See event 4749: A security-disabled global group was
created. Event 4744 is the same, except it is generated for a local distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4745(S): A security-disabled local group was changed. See event 4750: A security-disabled global group
was changed. Event 4745 is the same, except it is generated for a local distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4746(S): A member was added to a security-disabled local group. See event 4751: A member was added to
a security-disabled global group. Event 4746 is the same, except it is generated for a local distribution
group instead of a global distribution group. All event fields, XML, and recommendations are the same. The
type of group is the only difference.
4747(S): A member was removed from a security-disabled local group. See event 4752: A member was
removed from a security-disabled global group. Event 4747 is the same, except it is generated for a local
distribution group instead of a global distribution group. All event fields, XML, and recommendations are
the same. The type of group is the only difference.
4748(S): A security-disabled local group was deleted. See event 4753: A security-disabled global group was
deleted. Event 4748 is the same, except it is generated for a local distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4749(S): A security-disabled global group was
created.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Distribution Group
Management
Event Description:
This event generates every time a new
security-disabled (distribution) global group
was created.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4749</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:16:35.568878700Z" />
<EventRecordID>172181</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDesk</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDesk</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of created group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of created group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. This parameter contains the
value of sIDHistor y attribute of new group object. This parameter might not be captured in the event, and
in that case appears as “-”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor each time a new distribution group is created, to see who created the group and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4750(S): A security-disabled global group was
changed.
6/6/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is
changed.
This event generates only on domain
controllers.
Some changes do not invoke a 4750 event, for
example, changes made using the Active
Directory Users and Computers management
console in Managed By tab in group account
properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The name
of an account was changed” if “Audit User
Account Management” subcategory success
auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of
4750. If you need to monitor for group type changes, it is better to monitor for “4764: A group’s type was
changed.” These events are generated for any group type when group type is changed. “Audit Security Group
Management” subcategory success auditing must be enabled.
From 4750 event you can get information about changes of sAMAccountName and sIDHistor y attributes or
you will see that something changed, but will not be able to see what exactly changed.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4750</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:38:37.902710700Z" />
<EventRecordID>172188</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskMain</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDeskMain</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show the
group name. If the SID cannot be resolved, you will see the source data in the event.
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name ). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of changed group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Changed Attributes:
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support clients
and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. If the value of sIDHistor y
attribute of group object was changed, you will see the new value here.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, monitor events with the “Group\Group Name” values that correspond to the
critical distribution groups.
If you need to monitor each time a member is added to a distribution group, to see who added the member
and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if
needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4751(S): A member was added to a security-disabled
global group.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Distribution Group
Management
Event Description:
This event generates every time a new
member was added to a security-disabled
(distribution) global group.
This event generates only on domain
controllers.
For every added member you will get separate
4751 event.
You will typically see “4750: A security-
disabled global group was changed.” event
without any changes in it prior to 4751 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4751</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:01:10.821144700Z" />
<EventRecordID>172221</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of
this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that
might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member :
Security ID [Type = SID]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals, such as
LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in
the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of the group to which new member was added.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Addition of members to distribution groups: You might If you need to monitor each time a member is added to a
need to monitor the addition of members to distribution distribution group, to see who added the member and when,
groups. monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the addition of new
members (or for other changes).
High-value accounts : You might have high-value domain Monitor this event with the “Subject\Security ID” and
or local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts
used. that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Security ID” to
types, for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you
people (accounts) should not typically perform any actions. are concerned about.
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
4752(S): A member was removed from a security-
disabled global group.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Distribution Group
Management
Event Description:
This event generates every time member was
removed from the security-disabled
(distribution) global group.
This event generates only on domain
controllers.
For every removed member you will get
separate 4752 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4752</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:20:57.315863900Z" />
<EventRecordID>172229</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member from
the group” operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member :
Security ID [Type = SID]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in
the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals, such
as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the
source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of the group from which the member was removed.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Removal of members from distribution groups: You If you need to monitor each time a member is removed from
might need to monitor the removal of members from a distribution group, to see who removed the member and
distribution groups. when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the removal of members
(or for other changes).
Distribution groups with required members : You might Monitor this event with the “Group\Group Name” that
need to ensure that for certain distribution groups, particular corresponds to the group of interest, and the
members are never removed. “Member\Security ID” of the members who should not be
removed.
High-value accounts : You might have high-value domain Monitor this event with the “Subject\Security ID” and
or local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts
used. that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Security ID” to
types, for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you
people (accounts) should not typically perform any actions. are concerned about.
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
4753(S): A security-disabled global group was
deleted.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is deleted.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4753</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:59:33.621155200Z" />
<EventRecordID>172230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1504" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain name of deleted group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, especially group deletion, monitor events with the “Group\Group Name” values
that correspond to the critical distribution groups.
If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
Audit Other Account Management Events
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Other Account Management Events determines whether the operating system generates user account
management audit events.
Event volume: Typically Low on all types of computers.
This subcategory allows you to audit next events:
The password hash of a user account was accessed. This happens during an Active Directory Management
Tool password migration.
The Password Policy Checking API was called. Password Policy Checking API allows an application to check
password compliance against an application-provided account database or single account and verify that
passwords meet the complexity, aging, minimum length, and history reuse requirements of a password
policy.
Events List:
4782(S): The password hash of an account was accessed.
4793(S): The Password Policy Checking API was called.
4782(S): The password hash of an account was
accessed.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Account
Management Events
Event Description:
This event generates on domain controllers
during password migration of an account
using Active Directory Migration Toolkit.
Typically “Subject\Security ID” is the
SYSTEM account.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4782</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" />
<EventRecordID>174829</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1232" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Andrei</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested hash migration operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For ANONYMOUS LOGON you will see NT AUTHORITY value for this field.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Account Name [Type = UnicodeString]: the name of the account for which the password hash was
migrated. For example: ServiceDesk
User account example: Andrei
Computer account example: DC01$
Account Domain [Type = UnicodeString]: domain name of the account for which the password hash was
migrated. Formats vary, and include the following:
Domain NETBIOS name example: FABRIKAM
Lowercase full domain name: fabrikam.local
Uppercase full domain name: FABRIKAM.LOCAL
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Account
Management Events
Event Description:
This event generates each time the Password
Policy Checking API is called.
The Password Policy Checking API allows an
application to check password compliance
against an application-provided account
database or single account and verify that
passwords meet the complexity, aging,
minimum length, and history reuse
requirements of a password policy.
This event, for example, generates during
Directory Services Restore Mode (DSRM)
account password reset procedure to check
new DSRM password.
This event generates on the computer where Password Policy Checking API was called.
Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many
4793 events on a SQL Server.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4793</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" />
<EventRecordID>172342</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested Password Policy Checking
API operation.
Account Domain [Type = UnicodeString]: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: name of the computer from which the Password Policy
Checking API was called. Typically, this is the same computer where this event was generated, for example,
DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS
name of the computer.
Provided Account Name (unauthenticated) [Type = UnicodeString]: the name of account, which
password was provided/requested for validation. This parameter might not be captured in the event, and in
that case appears as “-”.
Status Code [Type = HexInt32]: typically has “0x0 ” value. Status code is “0x0 ”, no matter meets password
domain Password Policy or not.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when Password Policy Checking
APIs were invoked, and who invoked them. The Provided Account Name does not always have a value—
sometimes it’s not really possible to determine for which account the password policy check was performed.
Audit Security Group Management
12/20/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when
specific security group management tasks are performed.
Event volume : Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.
IMPORTANT
Event 4727(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
4737(S): A security-enabled global group was changed. See event 4735: A security-enabled local group
was changed. Event 4737 is the same, but it is generated for a global security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
IMPORTANT
Event 4737(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
4728(S): A member was added to a security-enabled global group. See event 4732: A member was added
to a security-enabled local group. Event 4728 is the same, but it is generated for a global security group
instead of a local security group. All event fields, XML, and recommendations are the same. The type of
group is the only difference.
IMPORTANT
Event 4728(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
4729(S): A member was removed from a security-enabled global group. See event 4733: A member was
removed from a security-enabled local group. Event 4729 is the same, but it is generated for a global
security group instead of a local security group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.
IMPORTANT
Event 4729(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
4730(S): A security-enabled global group was deleted. See event 4734: A security-enabled local group was
deleted. Event 4730 is the same, but it is generated for a global security group instead of a local security
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
IMPORTANT
Event 4730(S) generates only for domain groups, so the Local sections in event 4734 do not apply.
4754(S): A security-enabled universal group was created. See event 4731: A security-enabled local group
was created. Event 4754 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
IMPORTANT
Event 4754(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
4755(S): A security-enabled universal group was changed. See event 4735: A security-enabled local group
was changed. Event 4737 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
IMPORTANT
Event 4755(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
4756(S): A member was added to a security-enabled universal group. See event 4732: A member was
added to a security-enabled local group. Event 4756 is the same, but it is generated for a universal
security group instead of a local security group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.
IMPORTANT
Event 4756(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
4757(S): A member was removed from a security-enabled universal group. See event 4733: A member was
removed from a security-enabled local group. Event 4757 is the same, but it is generated for a universal
security group instead of a local security group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.
IMPORTANT
Event 4757(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
4758(S): A security-enabled universal group was deleted. See event 4734: A security-enabled local group
was deleted. Event 4758 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
IMPORTANT
Event 4758(S) generates only for domain groups, so the Local sections in event 4734 do not apply.
4731(S): A security-enabled local group was created.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates every time a new
security-enabled (security) local group was
created.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4731</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T01:01:50.646049700Z" />
<EventRecordID>174849</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Group:
Security ID [Type = SID]: SID of created group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the created group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a
name of new group.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. This parameter contains the
value of sIDHistor y attribute of new group object. This parameter might not be captured in the event, and
in that case appears as “-”. For local groups it is not applicable and always has “- “ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor each time a new security group is created, to see who created the group and when,
monitor this event.
If you need to monitor the creation of local security groups on different servers, and you use Windows
Event Forwarding to collect events in a central location, check “New Group\Group Domain.” It should
not be the name of the domain, but instead should be the computer name.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4732(S): A member was added to a security-enabled
local group.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates every time a new
member was added to a security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every added member you will get
separate 4732 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4732
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" />
<EventRecordID>174856</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member :
Security ID [Type = SID]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “- “ value,
even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE
or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in
the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the group to which the new
member was added. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Addition of members to local or domain security If you need to monitor each time a member is added to a
groups: You might need to monitor the addition of members local or domain security group, to see who added the
to local or domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the addition of new members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
High-value accounts : You might have high-value domain Monitor this event with the “Subject\Security ID” and
or local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts
used. that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Security ID” to
types, for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you
people (accounts) should not typically perform any actions. are concerned about.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
Mismatch between type of account (user or Monitor the type of account added to the group to see if it
computer) and the group it was added to : You might matches what the group is intended for.
want to monitor to ensure that a computer account was not
added to a group intended for users, or a user account was
not added to a group intended for computers.
4733(S): A member was removed from a security-
enabled local group.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates every time member
was removed from security-enabled
(security) local group.
This event generates on domain
controllers, member servers, and
workstations.
For every removed member you will get
separate 4733 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4733
event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4733</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" />
<EventRecordID>175037</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member :
Security ID [Type = SID]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in
the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “- “
value, even if removed member is a domain account. For some well-known security principals, such as
LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Group:
Security ID [Type = SID]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the
source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the group from which the member
was removed. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs, for
example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Removal of members from local or domain security If you need to monitor each time a member is removed from
groups: You might need to monitor the removal of members a local or domain security group, to see who added the
from local or domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.
High-value local or domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or domain security groups in the that correspond to the high-value local or domain security
organization, and need to specifically monitor these groups groups.
for the removal of members (or for other changes).
Examples of critical local or domain groups are built-in local
administrators group, domain admins, enterprise admins, and
so on.
Local or domain security groups with required Monitor this event with the “Group\Group Name” that
members : You might need to ensure that for certain local or corresponds to the group of interest, and the
domain security groups, particular members are never “Member\Security ID” of the members who should not be
removed. removed.
High-value accounts : You might have high-value domain Monitor this event with the “Subject\Security ID” and
or local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts
used. that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Security ID” to
types, for example, local or domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed corresponding to accounts from another domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you
people (accounts) should not typically perform any actions. are concerned about.
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
4734(S): A security-enabled local group was deleted.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates every time security-
enabled (security) local group is deleted.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4734</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T18:23:42.426245700Z" />
<EventRecordID>175039</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the deleted group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, especially group deletion, monitor events with the “Group\Group
Name” values that correspond to the critical local or domain security groups. Examples of critical local or
domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
If you need to monitor each time a local or domain security group is deleted, to see who deleted it and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
4735(S): A security-enabled local group was
changed.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates every time a security-
enabled (security) local group is changed.
This event generates on domain controllers,
member servers, and workstations.
Some changes do not invoke a 4735 event,
for example, changes made using Active
Directory Users and Computers management
console in Managed By tab in group account
properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The
name of an account was changed” if “Audit
User Account Management” subcategory
success auditing is enabled.
If you change the group type, you get a
change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group
type changes, it is better to monitor for “4764: A group’s type was changed.” These events are generated for any
group type when group type is changed. “Audit Security Group Management” subcategory success auditing must
be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistor y attributes or
you will see that something changed, but will not be able to see what exactly changed.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4735</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" />
<EventRecordID>174850</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name ). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.
Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Changed Attributes:
You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This
usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way
to determine which attribute was changed. For example, this would happen if you change the Description of a
group object using the Active Directory Users and Computers administrative console. Also, if the discretionary
access control list (DACL) is changed, a 4735 event will generate, but all attributes will be “-“.
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. If the value of sIDHistor y
attribute of group object was changed, you will see the new value here. For local groups it is not applicable
and always has “- “ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or domain security groups in the organization, and need to specifically
monitor these groups for any change, monitor events with the “Group\Group Name” values that
correspond to the critical local or domain security groups.
If you need to monitor each time a member is added to a local or domain security group, to see who added
the member and when, monitor this event. Typically, this event is used as an informational event, to be
reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
4764(S): A group’s type was changed.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit
Security Group
Management
Event Description:
This event generates
every time group’s type
is changed.
This event generates for
both security and
distribution groups.
This event generates
only on domain
controllers.
Note For
recommendations, see
Security Monitoring
Recommendations for
this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4764</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T00:25:33.459568000Z" />
<EventRecordID>175221</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="GroupTypeChange">Security Enabled Local Group Changed to Security Disabled Local Group.</Data>
<Data Name="TargetUserName">CompanyAuditors</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6608</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38200</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change group type”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Change Type [Type = UnicodeString]: contains three parts: “<Param1> Changed To <Param2>.”. These two
parameters can have the following values (they cannot have the same value at the same time):
Security Disabled Local Group
Security Disabled Universal Group
Security Disabled Global Group
Security Enabled Local Group
Security Enabled Universal Group
Security Enabled Global Group
Group:
Security ID [Type = SID]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group, which type was changed. For example:
ServiceDesk
Group Domain [Type = UnicodeString]: domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or domain groups in the organization, and need to specifically monitor
these groups for any change, especially group type change, monitor events with the “Group\Group
Name” values that correspond to the critical distribution groups. Examples of critical local or domain
groups are built-in local administrators group, domain admins, enterprise admins, critical distribution
groups, and so on.
If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor this
event. Typically, this event is used as an informational event, to be reviewed if needed.
4799(S): A security-enabled local group membership
was enumerated.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Security Group
Management
Event Description:
This event generates when a process enumerates
the members of a security-enabled local group
on the computer or device.
This event doesn't generate when group
members were enumerated using Active
Directory Users and Computers snap-in.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:50:23.625407600Z" />
<EventRecordID>685</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="188" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate security-
enabled local group members” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID]: SID of the group which members were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group which members were enumerated.
Group Domain [Type = UnicodeString]: group’s domain or computer name. Formats var y, and
include the following:
For Builtin groups this field has “Builtin” value.
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been
created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local security groups in the organization, and need to specifically monitor these
groups for any access (in this case, enumeration of group membership), monitor events with the
“Group\Group Name” values that correspond to the critical local security groups. Examples of critical local
groups are built-in local administrators, built-in backup operators, and so on.
If you need to monitor each time the membership is enumerated for a local or domain security group, to see
who enumerated the membership and when, monitor this event. Typically, this event is used as an
informational event, to be reviewed if needed.
Audit User Account Management
12/18/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit User Account Management determines whether the operating system generates audit events when
specific user account management tasks are performed.
Event volume : Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
A user account’s password is set or changed.
A security identifier (SID) is added to the SID History of a user account, or fails to be added.
The Directory Services Restore Mode password is configured.
Permissions on administrative user accounts are changed.
A user's local group membership was enumerated.
Credential Manager credentials are backed up or restored.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer
accounts.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time a new user
object is created.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.759912000Z" />
<EventRecordID>175408</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ksmith</Data>
<Data Name="DisplayName">Ken Smith</Data>
<Data Name="UserPrincipalName">ksmith@contoso.local</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create user account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Account:
Security ID [Type = SID]: SID of created user account. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the user account that was created. For example:
dadmin.
Account Domain [Type = UnicodeString]: domain name of created user account. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local accounts, this field will contain the name of the computer to which this new account belongs,
for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new user object. For example: ksmith. For local account this field contains the name of new user
account.
Display Name [Type = UnicodeString]: the value of displayName attribute of new user object. It is a name
displayed in the address book for a particular account .This is usually the combination of the user's first
name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. Local accounts contain Full Name
attribute in this field, but for new local accounts this field typically has value “<value not set> ”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new user object. For example, ksmith@contoso.local.
For local users this field is not applicable and has value “- “. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Director y [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirector y should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirector y attribute of new user
object. For new local accounts this field typically has value “<value not set> ”. You can change this attribute
by using Active Directory Users and Computers, or through a script, for example. This parameter might not
be captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirector y account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new user object. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example. This
parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this
field typically has value “<value not set> ”.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. This parameter contains
the value of scriptPath attribute of new user object. You can change this attribute by using Active Directory
Users and Computers, or through a script, for example. This parameter might not be captured in the event,
and in that case appears as “-”. For new local accounts this field typically has value “<value not set> ”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user
object. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”. For new local
accounts this field typically has value “<value not set> ”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a user object. This parameter contains the value of userWorkstations
attribute of new user object. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. This parameter might not be captured in the event, and in that case appears
as “-”. For local users this field is not applicable and typically has value “<value not set> ”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created user account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>” . This parameter contains the value of pwdLastSet attribute of new user object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new user object. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”. For manually created local and domain user accounts this field
typically has value “<never> ”.
Primar y Group ID [Type = UnicodeString]: Relative Identifier (RID) of user’s object primary group.
Note Relative identifier (RID) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a
domain.
Typically, Primar y Group field for new user accounts has the following values:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primar yGroupID attribute of new user object.
Allowed To Delegate To [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of user account, if this account has at least one SPN registered. This parameter contains the value of
AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and
typically has value “- “. For new domain user accounts it is typically has value “- “. See description of
AllowedToDelegateTo field for “4738(S): A user account was changed.” event for more details.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use
for authentication. For example, an SPN always includes the name of the host computer on which the service
instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. Old UAC value always “0x0” for new user accounts. This
parameter contains the previous value of userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the value of userAccountControl
attribute of new user object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new user accounts, when the object for this account was created,
the userAccountControl value was considered to be “0x0” , and then it was changed from “0x0” to the real
value for the account's userAccountControl attribute. See possible values in the table below. In the “User
Account Control field text” column, you can see the text that will be displayed in the User Account Control
field in 4720 event.
USERA C C O UN TC O N T
RO L IN USERA C C O UN TC O N T USER A C C O UN T
FLAG NAME H EXA DEC IM A L RO L IN DEC IM A L DESC RIP T IO N C O N T RO L F IEL D T EXT
USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.
USERA C C O UN TC O N T
RO L IN USERA C C O UN TC O N T USER A C C O UN T
FLAG NAME H EXA DEC IM A L RO L IN DEC IM A L DESC RIP T IO N C O N T RO L F IEL D T EXT
For new, manually created, domain or local user accounts typical flags are:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' – Enabled
After new user creation event you will typically see couple of “4738: A user account was changed.” events
with new flags:
'Password Not Required' – Disabled
Account Enabled
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field in “4738: A user account was changed.” This parameter might
not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has
value “<value not set> ”.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. This parameter contains the
value of sIDHistor y attribute of new user object. This parameter might not be captured in the event, and in
that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value
of logonHours attribute of new user object. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example. You will typically see “<value not set> ” value for new
manually created user accounts in event 4720. For new local accounts this field is not applicable and
typically has value “All ”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
F IEL D A N D VA L UE TO T RA C K REA SO N TO T RA C K
SAM Account Name is empty or - This field must contain the user account name. If it is empty or
- , it might indicate an anomaly.
User Principal Name is empty or - Typically this field should not be empty for new user accounts.
If it is empty or - , it might indicate an anomaly.
Home Director y is not - Typically these fields are - for new user accounts. Other values
Home Drive is not - might indicate an anomaly and should be monitored.
Script Path is not - For local accounts these fields should display <value not
Profile Path is not - set> .
User Workstations is not -
Password Last Set is <never> This typically means this is a manually created user account,
which you might need to monitor.
Password Last Set is a time in the future This might indicate an anomaly.
F IEL D A N D VA L UE TO T RA C K REA SO N TO T RA C K
Account Expires is not <never> Typically this field is <never> for new user accounts. Other
values might indicate an anomaly and should be monitored.
Primar y Group ID is not 513 Typically, the Primar y Group value is 513 for domain and
local users. Other values should be monitored.
Allowed To Delegate To is not - Typically this field is - for new user accounts. Other values
might indicate an anomaly and should be monitored.
Old UAC Value is not 0x0 Typically this field is 0x0 for new user accounts. Other values
might indicate an anomaly and should be monitored.
SID Histor y is not - This field will always be set to - unless the account was
migrated from another domain.
Logon Hours value other than <value not set> or** “All”** This should always be <value not set> for new domain user
accounts, and “All” for new local user accounts.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Encr ypted Text Password Allowed' – Enabled By default, these flags should not be enabled for new user
'Smar tcard Required' – Enabled accounts created with the “Active Directory Users and
'Not Delegated' – Enabled Computers” snap-in.
'Use DES Key Only' – Enabled
'Don't Require Preauth' – Enabled
'Trusted To Authenticate For Delegation' – Enabled
'Ser ver Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag. By default, this flag
should not be enabled for new user accounts created with the
“Active Directory Users and Computers” snap-in.
'Trusted For Delegation' – Enabled By default, this flag should not be enabled for new user
accounts created with the “Active Directory Users and
Computers” snap-in. It is enabled by default only for new
domain controllers.
4722(S): A user account was enabled.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is enabled.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4722</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:11.038308600Z" />
<EventRecordID>175716</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account that was enabled. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was enabled.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4722 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts that should never be enabled, you can monitor all 4722 events with
the “Target Account\Security ID” fields that correspond to the accounts.
We recommend monitoring all 4722 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4723(S, F): An attempt was made to change an
account's password.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time a user
attempts to change his or her password.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For domain accounts, a Failure event generates
if new password fails to meet the password
policy.
For local accounts, a Failure event generates if
new password fails to meet the password
policy or old password is wrong.
For domain accounts if old password was
wrong, then “4771: Kerberos pre-
authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be
generated on domain controller if specific subcategories were enabled on it.
Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields,
which is normal behavior.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4723</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:32:51.494558000Z" />
<EventRecordID>175722</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x1a9b76</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to change Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which the password change was requested.
Security ID [Type = SID]: SID of account for which the password change was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which the password change was
requested.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local user account for which you need to monitor every password
change attempt, monitor all 4723 events with the “Target Account\Security ID” that corresponds to the
account.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts for which the password should never be changed, you can monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
4724(S, F): An attempt was made to reset an
account's password.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time an account
attempted to reset the password for another
account.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For domain accounts, a Failure event generates
if the new password fails to meet the
password policy.
A Failure event does NOT generate if user gets
“Access Denied” while doing the password
reset procedure.
This event also generates if a computer account reset procedure was performed.
For local accounts, a Failure event generates if the new password fails to meet the local password policy.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:58:21.725864900Z" />
<EventRecordID>175740</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">User1</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1107</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to reset Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which password reset was requested.
Security ID [Type = SID]: SID of account for which password reset was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which password reset was requested.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local user account for which you need to monitor every password reset
attempt, monitor all 4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts for which the password should never be reset, you can monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4724 events for local accounts, because their passwords usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4725(S): A user account was disabled.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is disabled.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:07.657358900Z" />
<EventRecordID>175714</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “disable account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account that was disabled. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was disabled.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4725 events with the “Target Account\Security ID” that corresponds to the account.
If you have domain or local accounts that should never be disabled (for example, service accounts), you can
monitor all 4725 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4725 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4726(S): A user account was deleted.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time user object
was deleted.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4726</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T00:52:25.104613800Z" />
<EventRecordID>175720</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete user account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account that was deleted. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was deleted.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a high-value domain or local account for which you need to monitor every change (or deletion),
monitor all 4726 events with the “Target Account\Security ID” that corresponds to the account.
If you have a domain or local account that should never be deleted (for example, service accounts), monitor
all 4726 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4726 events for local accounts, because these accounts typically are not
deleted often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
4738(S): A user account was changed.
11/7/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time user object is
changed.
This event generates on domain controllers,
member servers, and workstations.
For each change, a separate 4738 event will
be generated.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not
listed in the event. In this case there is no way
to determine which attribute was changed.
For example, if the discretionary access
control list (DACL) is changed, a 4738 event
will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change user account”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account that was changed. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was changed.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Changed Attributes:
If attribute was not changed it will have “–“ value.
Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also,
the User Account Control field will have values only if it was modified. Changed attributes will have new values,
but it is hard to understand which attribute was really changed.
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of user object was changed, you will see the new value here. For example: ladmin. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Display Name [Type = UnicodeString]: it is a name, displayed in the address book for a particular account.
This is usually the combination of the user's first name, middle initial, and last name. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. If the value of
displayName attribute of user object was changed, you will see the new value here. For local accounts,
this field always has some value—if the account's attribute was not changed it will contain the current value
of the attribute.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of user object was changed, you will see the new value here. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field is not applicable and always has “-“ value.
Home Director y [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirector y should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirector y attribute of user object was changed, you
will see the new value here. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirector y account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of user object was changed, you will see the new value
here. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. For local accounts, this field always has some value—if the account's attribute was not changed it
will contain the current value of the attribute.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of user object was changed, you will see the new value here. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. If the value of profilePath attribute of user object was changed, you
will see the new value here. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of user
object was changed, you will see the new value here. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. For local accounts, this field is not
applicable and always appears as “<value not set> .“
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of user object was changed, you will see the new value here. For example: 8/12/2015
11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of user object was changed, you will see the new value here. . For example,
“9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers, or
through a script, for example. For local accounts, this field always has some value—if the account's attribute
was not changed it will contain the current value of the attribute.
Primar y Group ID [Type = UnicodeString]: Relative Identifier (RID) of user’s object primary group.
Note Relative identifier (RID) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a
domain.
This field will contain some value if user’s object primary group was changed. You can change user’s primary
group using Active Directory Users and Computers management console in the Member Of tab of user object
properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a
default primary group for users.
Typical Primar y Group values for user accounts:
513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primar yGroupID attribute of user object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on
Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo
field (note that you will see the new list instead of changes) of this event. This is an example of
AllowedToDelegateTo :
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS-AllowedToDelegateTo attribute of user object was changed, you will see the
new value here.
The value can be “<value not set> ”, for example, if delegation was disabled.
For local accounts, this field is not applicable and always has “-“ value.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.
Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the previous value of
userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. If the value of userAccountControl attribute of user object
was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the User’s or Computer’s account UAC
flags. from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the
event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract
the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl
attribute. You will see a line of text for each change. See possible values in here: User’s or Computer’s
account UAC flags. In the “User Account Control field text” column, you can see the text that will be
displayed in the User Account Control field in 4738 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field. For local accounts, this field is not applicable and always has
“<value not set>“ value.
SID Histor y [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another domain. Whenever an object is moved from one domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistor y property. If the value of sIDHistor y
attribute of user object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the
value of logonHours attribute of user object was changed, you will see the new value here. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example. Here
is an example of this field:
Sunday 12:00 AM - 7:00 PM
Sunday 9:00 PM -Monday 1:00 PM
Monday 2:00 PM -Tuesday 6:00 PM
Tuesday 8:00 PM -Wednesday 10:00 AM
For local accounts this field is not applicable and typically has value “All ”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
F IEL D TO T RA C K REA SO N TO T RA C K
Display Name We recommend monitoring all changes for these fields for
User Principal Name critical domain and local accounts.
Home Director y
Home Drive
Script Path
Profile Path
User Workstations
Password Last Set
Account Expires
Primar y Group ID
Logon Hours
Primar y Group ID is not 513 Typically, the Primar y Group value is 513 for domain and
local users. Other values should be monitored.
For user accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: user accounts that previously had a services list (on the
AllowedToDelegateTo is marked <value not set> Delegation tab), it means the list was cleared.
SID Histor y is not - This field will always be set to - unless the account was
migrated from another domain.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Password Not Required' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
'Encr ypted Text Password Allowed' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
USER A C C O UN T C O N T RO L F L A G TO T RA C K IN F O RM AT IO N A B O UT T H E F L A G
'Ser ver Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
domain controller (computer) accounts.
'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag.
'Password Not Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
'Encr ypted Text Password Allowed' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
'Don't Expire Password' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
'Smar tcard Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the user account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for the
user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.
'Not Delegated' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .” Means that Account is sensitive and
cannot be delegated was unchecked for the user account.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.
'Use DES Key Only' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account’s Kerberos authentication.
'Don't Require Preauth' – Enabled Should not be enabled for user accounts because it weakens
security for the account’s Kerberos authentication.
'Use DES Key Only' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
'Don't Require Preauth' – Disabled Should be monitored for all accounts where the setting
should be “Enabled .”
4740(S): A user account was locked out.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time a user account
is locked out.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:06:08.576887500Z" />
<EventRecordID>175703</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">WIN81</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the lockout operation.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Account That Was Locked Out:
Security ID [Type = SID]: SID of account that was locked out. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was locked out.
Additional Information:
Caller Computer Name [Type = UnicodeString]: the name of computer account from which logon attempt
was received and after which target account was locked out. For example: WIN81.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever
“Subject\Security ID” is not SYSTEM.
If you have high-value domain or local accounts (for example, domain administrator accounts) for which
you need to monitor every lockout, monitor all 4740 events with the “Account That Was Locked Out
\Security ID” values that correspond to the accounts.
If you have a high-value domain or local account for which you need to monitor every change, monitor all
4740 events with the “Account That Was Locked Out \Security ID” that corresponds to the account.
If the user account “Account That Was Locked Out\Security ID” should not be used (for authentication
attempts) from the Additional Information\Caller Computer Name , then trigger an alert.
Monitor for all 4740 events where Additional Information\Caller Computer Name is not from your
domain. However, be aware that even if the computer is not in your domain you will get the computer name
instead of an IP address in the 4740 event.
4765(S): SID History was added to an account.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates when SID History was added to an account.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategor y: Audit User Account Management
Event Schema:
SID History was added to an account.
Subject:
Security ID:%6
Account Name:%7
Account Domain:%8
Logon ID:%9
Target Account:
Security ID:%5
Account Name:%3
Account Domain:%4
Source Account:
Security ID:%2
Account Name:%1
Additional Information:
Privileges:%10
SID List:%11
Applies to
Windows 10
Windows Server 2016
This event generates when an attempt to add SID History to an account failed.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategor y: Audit User Account Management
Event Schema:
An attempt to add SID History to an account failed.
Subject:
Security ID:-
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%4
Account Name:%2
Account Domain:%3
Source Account:
Account Name:%1
Additional Information:
Privileges:%8
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time a user account
is unlocked.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4767</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:31:01.871931700Z" />
<EventRecordID>175705</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Required Ser ver Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID]: SID of account that performed the unlock operation. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the unlock operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account that was unlocked. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was unlocked.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Security Monitoring Recommendations
For 4767(S): A user account was unlocked.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Applies to
Windows 10
Windows Server 2016
Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation
(FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for
its domain in Active Directory and that are in administrative or security-sensitive groups and which have
AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account differs
from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the
AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
Subcategor y: Audit User Account Management
Event Schema:
The ACL was set on accounts which are members of administrators groups.
Subject:
Security ID:%4
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%3
Account Name:%1
Account Domain:%2
Additional Information:
Privileges:%8
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time a user or
computer account name (sAMAccountName
attribute) is changed.
For user accounts, this event generates on
domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on domain controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4781</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T02:41:09.737420900Z" />
<EventRecordID>175754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OldTargetUserName">Admin</Data>
<Data Name="NewTargetUserName">MainAdmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6117</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the “change account
name” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID]: SID of account on which the name was changed. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.
Account Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Old Account Name [Type = UnicodeString]: old name of target account.
New Account Name [Type = UnicodeString]: new name of target account.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each
change to the accounts, monitor this event with the “Target Account\Security ID” that corresponds to the
high-value accounts.
4794(S, F): An attempt was made to set the Directory
Services Restore Mode administrator password.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time Directory
Services Restore Mode (DSRM) administrator
password is changed.
This event generates only on domain
controllers.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to set Directory
Services Restore Mode administrator password.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: the name of computer account from which Directory Services
Restore Mode (DSRM) administrator password change request was received. For example: “DC01 ”. If the
change request was sent locally (from the same server) this field will have the same name as the computer
account.
Status Code [Type = HexInt32]: for Success events it has “0x0 ” value.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account Management
Event Description:
This event generates when a process enumerates
a user's security-enabled local groups on a
computer or device.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4798</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T04:14:17.436787700Z" />
<EventRecordID>691</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="3928" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN10-1</Data>
<Data Name="TargetSid">S-1-5-21-1694160624-234216347-2203645164-500</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate user's
security-enabled local groups” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
User :
Security ID [Type = SID]: SID of the account whose groups were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: the name of the account whose groups were enumerated.
Account Domain [Type = UnicodeString]: group’s domain or computer name. Formats vary, and include
the following:
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been
created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high value domain or local accounts for which you need to monitor each enumeration of their
group membership, or any access attempt, monitor events with the “Subject\Security ID” that
corresponds to the high value account or accounts.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ”
or “cain.exe ”), check for these substrings in “Process Name .”
5376(S): Credential Manager credentials were backed
up.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject ) successfully backs up the credential
manager database.
Typically this can be done by clicking “Back up
Credentials” in Credential Manager in the
Control Panel.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5376</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:28:02.200404700Z" />
<EventRecordID>175779</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the backup operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Every 5376 event should be recorded for all local and domain accounts, because this action (back up Credential
Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
5377(S): Credential Manager credentials were
restored from a backup.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject ) successfully restores the credential
manager database.
Typically this can be done by clicking “Restore
Credentials” in Credential Manager in the
Control Panel.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5377</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:35:47.523266300Z" />
<EventRecordID>175780</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that performed the restore operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Every 5377 event should be recorded for all local and domain accounts, because this action (restore Credential
Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or
malicious activity.
Audit DPAPI Activity
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit DPAPI Activity determines whether the operating system generates audit events when encryption or
decryption calls are made into the data protection application interface (DPAPI).
Event volume : Low.
Events List:
4692(S, F): Backup of data protection master key was attempted.
4693(S, F): Recovery of data protection master key was attempted.
4694(S, F): Protection of auditable protected data was attempted.
4695(S, F): Unprotection of auditable protected data was attempted.
4692(S, F): Backup of data protection master key was
attempted.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit DPAPI Activity
Event Description:
This event generates every time that a backup
is attempted for the DPAPI Master Key.
When a computer is a member of a domain,
DPAPI has a backup mechanism to allow
unprotection of the data. When a Master Key is
generated, DPAPI communicates with a domain
controller. Domain controllers have a domain-
wide public/private key pair, associated solely
with DPAPI. The local DPAPI client gets the
domain controller public key from a domain
controller by using a mutually authenticated
and privacy protected RPC call. The client
encrypts the Master Key with the domain
controller public key. It then stores this backup Master Key along with the Master Key protected by the user's
password.
Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s
master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys
are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain
recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
This event generates on domain controllers, member servers, and workstations.
Failure event generates when a Master Key backup operation fails for some reason.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4692</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T01:59:14.573672700Z" />
<EventRecordID>176964</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30c08</Data>
<Data Name="MasterKeyId">16cfaea0-dbe3-4d92-9523-d494edb546bc</Data>
<Data Name="RecoveryServer" />
<Data Name="RecoveryKeyId">806a0350-aeb1-4c56-91f9-ef16cf759291</Data>
<Data Name="FailureReason">0x0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested backup operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which backup was created. The
Master Key is used, with some additional data, to generate an actual symmetric session key to
encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recover y Ser ver [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain
controller. This parameter might not be captured in the event, and in that case will be empty.
Recover y Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is generated
when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first
Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In
this field you will see unique Recovery key ID which was used for Master key backup operation.
For Failure events this field is typically empty.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code of performed operation. For Success events
this field is typically “0x0 ”. To see the meaning of status code you need to convert it to decimal value and us
“net helpmsg STATUS_CODE ” command to see the description for specific STATUS_CODE. Here is an example
of “net helpmsg” command output for status code 0x3A:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
4693(S, F): Recovery of data protection master key
was attempted.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit DPAPI Activity
Event Description:
This event generates every time that recovery
is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use
the Master Key protected by the user's
password, it sends the backup Master Key to a
domain controller by using a mutually
authenticated and privacy protected RPC call.
The domain controller then decrypts the
Master Key with its private key and sends it
back to the client by using the same protected
RPC call. This protected RPC call is used to
ensure that no one listening on the network
can get the Master Key.
This event generates on domain controllers,
member servers, and workstations.
Failure event generates when a Master Key restore operation fails for some reason.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4693</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" />
<EventRecordID>175809</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1340" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
<Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
<Data Name="RecoveryReason">0x5c005c</Data>
<Data Name="RecoveryServer">DC01.contoso.local</Data>
<Data Name="RecoveryKeyId" />
<Data Name="FailureId">0x380000</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “recover” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which was recovered. The Master
Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the
data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recover y Ser ver [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain
controller.
Note In this event Recovery Server field contains information from Recovery Reason field.
Recover y Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is generated
when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first
Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In
this field you will see unique Recovery key ID which was used for Master key recovery operation. This
parameter might not be captured in the event, and in that case will be empty.
Recover y Reason [Type = HexInt32]: hexadecimal code of recovery reason.
Note In this event Recovery Reason field contains information from Recovery Server field.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code. For Success events this field is typically
“0x380000 ”.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
4694(S, F): Protection of auditable protected data was
attempted.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI Cr yptProtectData () function was used with CRYPTPROTECT_AUDIT flag
(dwFlags) enabled.
There is no example of this event in this document.
Subcategor y: Audit DPAPI Activity
Event Schema:
Protection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9
Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was
encrypted using Cr yptProtectData () function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.
There is no example of this event in this document.
Subcategor y: Audit DPAPI Activity
Event Schema:
Unprotection of auditable protected data was attempted.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Protected Data:
Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8
Status Information:
Status Code:%9
Applies to
Windows 10
Windows Server 2016
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine
where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Event volume : Varies, depending on how the computer is used. Typically Low.
Events List:
6416(S): A new external device was recognized by the System
6419(S): A request was made to disable a device
6420(S): A device was disabled.
6421(S): A request was made to enable a device.
6422(S): A device was enabled.
6423(S): The installation of this device is forbidden by system policy.
6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
6416(S): A new external device was recognized by the
System.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time a new external
device is recognized by a system.
This event generates, for example, when a new
external device is connected or enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6416</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-13T18:20:16.818569900Z" />
<EventRecordID>436</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="308" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000</Data>
<Data Name="DeviceDescription">Seagate Expansion SCSI Disk Device</Data>
<Data Name="ClassId">{4D36E967-E325-11CE-BFC1-08002BE10318}</Data>
<Data Name="ClassName">DiskDrive</Data>
<Data Name="VendorIds">SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636
SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0
Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk</Data>
<Data Name="CompatibleIds">SCSI\\Disk SCSI\\RAW</Data>
<Data Name="LocationInformation">Bus Number 0, Target Id 0, LUN 0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that registered the new device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString] [Version 1]: “Device instance path ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString] [Version 1]: “Device description ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString] [Version 1]: “Class ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Vendor IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever
“Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
disable a device.
This event doesn’t mean that device
was disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6419</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:26.789591400Z" />
<EventRecordID>483</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time
specific device was disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6420</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:29.137398300Z" />
<EventRecordID>484</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that disabled the device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
enable a device.
This event doesn’t mean that device
was enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6421</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.034918700Z" />
<EventRecordID>485</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can use this event to track the events and event information shown in the following table by using the listed
fields:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time
specific device was enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6422</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.036050900Z" />
<EventRecordID>486</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="408" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that enabled the device.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever
“Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit PNP Activity
Event Description:
This event generates every time
installation of this device is
forbidden by system policy.
Device installation restriction group
policies are located here:
\Computer
Configuration\Administrative
Templates\System\Device
Installation\Device Installation
Restrictions . If one of the policies
restricts installation of a specific
device, this event will be generated.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6423</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:49:34.647975900Z" />
<EventRecordID>488</EventRecordID>
<Correlation />
<Execution ProcessID="828" ThreadID="1924" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2</Data>
<Data Name="DeviceDescription">Touchscreen</Data>
<Data Name="ClassId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="ClassName" />
<Data Name="HardwareIds">USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D</Data>
<Data Name="CompatibleIds">USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00
USB\\Class\_03</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that forbids the device installation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Device Name [Type = UnicodeString]: “Device description ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Class ID [Type = UnicodeString]: “Class Guid ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class ” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Hardware IDs [Type = UnicodeString]: “Hardware Ids ” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:
Compatible IDs [Type = UnicodeString]: “Compatible Ids ” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information ” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you want to track device installation policy violations then you need to track every event of this type.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever
“Subject\Security ID” is not SYSTEM.
You can use this event to track the policy violations and related information shown in the following table by
using the listed fields:
P O L IC Y VIO L AT IO N A N D REL AT ED IN F O RM AT IO N TO
M O N ITO R F IEL D TO USE
Applies to
Windows 10
Windows Server 2016
This event occurs rarely, and in some situations may be difficult to reproduce.
Subcategor y: Audit PNP Activity
Required Ser ver Roles: None.
Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Audit Process Creation determines whether the operating system generates audit events when a process is
created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information
includes the name of the program or the user that created the process.
Event volume : Low to Medium, depending on system usage.
This subcategory allows you to audit events generated when a process is created or starts. The name of the
application and user that created the process is also audited.
Events List:
4688(S): A new process has been created.
4696(S): A primary token was assigned to process.
4688(S): A new process has been created.
8/10/2019 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Process Creation
Event Description:
This event generates every time a new
process starts.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
Account Name [Type = UnicodeString]: the name of the account that requested the “create process”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,
the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully
logged on.”
Target Subject [Version 2]:
Note This event includes the principal of the process creator, but this is not always sufficient if the
target context is different from the creator context. In that situation, the subject specified in the process
termination event does not match the subject in the process creation event even though both events
refer to the same process ID. Therefore, in addition to including the creator of the process, we will also
include the target principal when the creator and target do not share the same logon.
Security ID [Type = SID] [Version 2]: SID of target account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with Windows
security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used
again to identify another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString] [Version 2]: the name of the target account.
Account Domain [Type = UnicodeString] [Version 2]: target account’s domain or computer name.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,
the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64] [Version 2]: hexadecimal value that can help you correlate this event
with recent events that might contain the same Logon ID, for example, “4624: An account was
successfully logged on.”
Process Information:
New Process ID [Type = Pointer]: hexadecimal Process ID of the new process. Process ID (PID) is a
number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
New Process Name [Type = UnicodeString]: full path and the name of the executable for the new
process.
Token Elevation Type [Type = UnicodeString]:
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or
groups disabled. A full token is only used if User Account Control is disabled or if the user is
the built-in Administrator account (for which UAC disabled by default), service account or
local system account.
TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or
groups disabled. An elevated token is used when User Account Control is enabled and the
user chooses to start the program using Run as administrator. An elevated token is also used
when an application is configured to always require administrative privilege or to always
require maximum privilege, and the user is a member of the Administrators group.
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges
removed and administrative groups disabled. The limited token is used when User Account
Control is enabled, the application does not require administrative privilege, and the user does
not choose to start the program using Run as administrator.
Mandator y Label [Version 2] [Type = SID]: SID of integrity label which was assigned to the new
process. Can have one of the following values:
Creator Process ID [Type = Pointer]: hexadecimal Process ID of the process which ran the new process.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID .
Creator Process Name [Version 2] [Type = UnicodeString]: full path and the name of the
executable for the process.
Process Command Line [Version 1, 2] [Type = UnicodeString]: contains the name of executable
and arguments which were passed to it. You must enable “Administrative Templates\System\Audit
Process Creation\Include command line in process creation events” group policy to include
command line in process creation events:
By default Process Command Line field is empty.
High-value accounts : You might have high-value Monitor all events with the “Creator Subject\Security
domain or local accounts for which you need to monitor ID” or “Target Subject\Security ID” that corresponds
each action. to the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account,
domain administrators, service accounts, domain
controller accounts and so on.
Anomalies or malicious actions : You might have When you monitor for anomalies or malicious actions, use
specific requirements for detecting anomalies or the “Creator Subject\Security ID” or “Target
monitoring potential malicious actions. For example, you Subject\Security ID” (with other information) to
might need to monitor for use of an account outside of monitor how or when a particular account is being used.
working hours.
Non-active accounts : You might have non-active, Monitor all events with the “Creator Subject\Security
disabled, or guest accounts, or other accounts that should ID” or “Target Subject\Security ID” that corresponds
never be used. to the accounts that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action,
accounts that are the only ones allowed to perform review the “Creator Subject\Security ID” and “Target
actions corresponding to particular events. Subject\Security ID” for accounts that are outside the
whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to
that certain actions are performed only by certain account monitor for certain account types, review the “Creator
types, for example, local or domain account, machine or Subject\Security ID” or “Target Subject\Security ID”
user account, vendor or employee account, and so on. to see whether the account type is as expected.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
External accounts : You might be monitoring accounts Monitor the specific events for the “Creator
from another domain, or “external” accounts that are not Subject\Security ID” or “Target Subject\Security ID”
allowed to perform certain actions (represented by certain corresponding to accounts from another domain or
specific events). “external” accounts.
Restricted-use computers or devices : You might Monitor the target Computer : (or other target device)
have certain computers, machines, or devices on which for actions performed by the “Creator Subject\Security
certain people (accounts) should not typically perform any ID” or “Target Subject\Security ID” that you are
actions. concerned about.
Account naming conventions : Your organization Monitor “Creator Subject\Security ID” or “Target
might have specific naming conventions for account Subject\Security ID” for names that don’t comply with
names. naming conventions.
If you have a pre-defined “New Process Name ” or “Creator Process Name ” for the process
reported in this event, monitor all events with “New Process Name ” or “Creator Process Name ”
not equal to your defined value.
You can monitor to see if “New Process Name ” or “Creator Process Name ” is not in a standard
folder (for example, not in System32 or Program Files ) or is in a restricted folder (for example,
Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example
“mimikatz ” or “cain.exe ”), check for these substrings in “New Process Name ” or “Creator
Process Name .”
It can be unusual for a process to run using a local account in either Creator Subject\Security ID
or in Target Subject\Security ID .
Monitor for Token Elevation Type with value TokenElevationTypeDefault (1) when
Subject\Security ID lists a real user account, for example when Account Name doesn’t contain
the $ symbol. Typically this means that UAC is disabled for this account for some reason.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on standard
workstations, when Subject\Security ID lists a real user account, for example when Account
Name doesn’t contain the $ symbol. This means that a user ran a program using administrative
privileges.
You can also monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on
standard workstations, when a computer object was used to run the process, but that computer
object is not the same computer where the event occurs.
If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480
(Protected process), check the “Mandator y Label ” in this event.
4696(S): A primary token was assigned to process.
5/31/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Process Creation
Event Description:
This event generates every time a process runs
using the non-current access token, for example,
UAC elevated token, RUN AS different user
actions, scheduled task with defined user,
services, and so on.
IMPORTANT : this event is deprecated starting
from Windows 7 and Windows 2008 R2.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4696</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T21:33:42.401Z" />
<EventRecordID>561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>Win2008.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN2008$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x1c8c5</Data>
<Data Name="TargetProcessId">0xf40</Data>
<Data Name="TargetProcessName">C:\\Windows\\System32\\WerFault.exe</Data>
<Data Name="ProcessId">0x698</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Required Ser ver Roles: this event is deprecated starting from Windows 7 and Windows 2008 R2.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID]: SID of account that requested the “assign token to process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “assign token to
process” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which started the new process with the
new security token. Process ID (PID) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process which ran
the new process with new security token.
Target Process:
Target Process ID [Type = Pointer]: hexadecimal Process ID of the new process with new security token. If you
convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID .
Target Process Name [Type = UnicodeString]: full path and the name of the executable for the new process.
New Token Information:
Security ID [Type = SID]: SID of account through which the security token will be assigned to the new process.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account through which the security token will be
assigned to the new process.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
High-value accounts : You might have high-value domain or Monitor this event with the “Subject\Security ID” or “New
local accounts for which you need to monitor each action. Token Information\Security ID” that corresponds to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” or “New Token
malicious actions. For example, you might need to monitor for Information\Security ID” (with other information) to
use of an account outside of working hours. monitor how or when a particular account is being used.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “New
or guest accounts, or other accounts that should never be Token Information\Security ID” that corresponds to the
used. accounts that should never be used.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” and “New Token
corresponding to particular events. Information\Security ID” for accounts that are outside the
whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Security ID” or
types, for example, local or domain account, machine or user “New Token Information\Security ID” to see whether the
account, vendor or employee account, and so on. account type is as expected.
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Security ID” or “New
another domain, or “external” accounts that are not allowed to Token Information\Security ID” corresponding to
perform certain actions (represented by certain specific accounts from another domain or “external” accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “New
people (accounts) should not typically perform any actions. Token Information\Security ID” that you are concerned
about.
Account naming conventions : Your organization might Monitor “Subject\Security ID” or “New Token
have specific naming conventions for account names. Information\Security ID” for names that don’t comply with
naming conventions.
If you have a pre-defined “Process Name ” or “Target Process Name ” for the process reported in this
event, monitor all events with “Process Name ” or “Target Process Name ” not equal to your defined
value.
You can monitor to see if “Process Name ” or “Target Process Name ” is not in a standard folder (for
example, not in System32 or Program Files ) or is in a restricted folder (for example, Temporar y Internet
Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ”
or “cain.exe ”), check for these substrings in “Process Name ” or “Target Process Name ”.
It can be uncommon if process runs using local account.
Audit Process Termination
12/20/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Process Termination determines whether the operating system generates audit events when process has
exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
Event volume : Low to Medium, depending on system usage.
Domain No No IF No IF - This
Controller subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
GEN ERA L GEN ERA L ST RO N GER ST RO N GER
C O M P UT ER T Y P E SUC C ESS FA IL URE SUC C ESS FA IL URE C O M M EN T S
Workstation No No IF No IF - This
subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4689(S): A process has exited.
4689(S): A process has exited.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Process Termination
Event Description:
This event generates every time a process has
exited.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
</EventData>
</Event>
Required Ser ver Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID]: SID of account that requested the “terminate process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “terminate process”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the ended/terminated process. Process ID (PID) is a
number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688(S): A new process
has been created” New Process ID on this computer.
Process Name [Type = UnicodeString]: full path and the executable name of the exited/terminated process.
Exit Status [Type = HexInt32]: hexadecimal exit code of exited/terminated process. This exit code is unique
for every application, check application documentation for more details. The exit code value for a process
reflects the specific convention implemented by the application developer for that process.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ”
or “cain.exe ”), check for these substrings in “Process Name .”
If you have a critical processes list for the computer, with the requirement that these processes must always
run and not stop, you can monitor Process Name field in 4689 events for these process names.
Audit RPC Events
12/18/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit RPC Events determines whether the operating system generates audit events when inbound remote
procedure call (RPC) connections are made.
Events List:
5712(S): A Remote Procedure Call (RPC) was attempted.
5712(S): A Remote Procedure Call (RPC) was
attempted.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategor y: Audit RPC Events
Event Schema:
A Remote Procedure Call (RPC) was attempted.
Subject:
SID:%1
Name:%2
Account Domain:%3
LogonId:%4
Process Information:
PID:%5 Name:%6
Network Information:
Remote IP Address:%7
Remote Port:%8
RPC Attributes:
Interface UUID:%9
Protocol Sequence:%10
Authentication Service:%11
Authentication Level:%12
Applies to
Windows 10
Windows Server 2016
Audit Detailed Directory Service Replication determines whether the operating system generates audit events that
contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume : These events can create a very high volume of event data on domain controllers.
Events List:
4928(S, F): An Active Directory replica source naming context was established.
4929(S, F): An Active Directory replica source naming context was removed.
4930(S, F): An Active Directory replica source naming context was modified.
4931(S, F): An Active Directory replica destination naming context was modified.
4934(S): Attributes of an Active Directory object were replicated.
4935(F): Replication failure begins.
4936(S): Replication failure ends.
4937(S): A lingering object was removed from a replica.
4928(S, F): An Active Directory replica source naming
context was established.
6/6/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time a new Active
Directory replica source naming context is
established.
Failure event generates if an error occurs
(Status Code != 0).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4928</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:15:30.067319300Z" />
<EventRecordID>227065</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">368</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of the server from which information or an update
was received.
Naming Context [Type = UnicodeString]: naming context to replicate.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to
domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0 ”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica source naming context
was removed.
Failure event generates if an error
occurs (Status Code != 0).
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4929</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:50.446211200Z" />
<EventRecordID>227013</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2636" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=contoso,DC=local</Data>
<Data Name="Options">16640</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Required Ser ver Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of the server from which the “remove” request was
received.
Naming Context [Type = UnicodeString]: naming context which was removed.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to
domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time Active
Directory replica source naming context was
modified.
Failure event generates if an error occurs
(Status Code != 0).
It is not possible to understand what exactly
was modified from this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4930</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:56:51.474057400Z" />
<EventRecordID>1564</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>Win2012r2.corp.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">0</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name. Typically equals “- “
for this event.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Source Address [Type = UnicodeString]: DNS record of computer from which the modification request was
received.
Naming Context [Type = UnicodeString]: naming context which was modified.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to
domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica destination naming
context was modified.
Failure event generates if an error
occurs (Status Code != 0).
It is not possible to understand what
exactly was modified from this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4931</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:02:41.563619400Z" />
<EventRecordID>227058</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2936" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">-</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">23</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Destination Address [Type = UnicodeString]: DNS record of computer to which the modification request
was sent.
Naming Context [Type = UnicodeString]: naming context which was modified.
Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to
domain controllers in different domains within the forest. Each domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.
Applies to
Windows 10
Windows Server 2016
This event generates when attributes of an Active Directory object were replicated.
There is no example of this event in this document.
Subcategor y: Audit Detailed Directory Service Replication
Event Schema:
Attributes of an Active Directory object were replicated.
Session ID:%1
Object:%2
Attribute:%3
Type of change:%4
New Value:%5
USN:%6
Status Code:%7
Required Ser ver Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Detailed Directory Service
Replication
Event Description:
This event generates when Active Directory
replication failure begins.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4935</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:48.758149800Z" />
<EventRecordID>1552</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>Win2012r2.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ReplicationEvent">1</Data>
<Data Name="AuditStatusCode">8419</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
This event generates when Active Directory replication failure ends.
There is no example of this event in this document.
Subcategor y: Audit Detailed Directory Service Replication
Event Schema:
Replication failure ends.
Replication Event:%1
Audit Status Code:%2
Replication Status Code:%3
Required Ser ver Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
This event generates when a lingering object was removed from a replica.
There is no example of this event in this document.
Subcategor y: Audit Detailed Directory Service Replication
Event Schema:
A lingering object was removed from a replica.
Destination DRA:%1
Source DRA:%2
Object:%3
Options:%4
Status Code:%5
Required Ser ver Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Access determines whether the operating system generates audit events when an Active
Directory Domain Services (AD DS) object is accessed.
Event volume : High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also
generates Failure events if access was not granted.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Directory Service
Access
Event Description:
This event generates every time when
an operation was performed on an
Active Directory object.
This event generates only if appropriate
SACL was set for Active Directory object
and performed operation meets this
SACL.
If operation failed then Failure event will
be generated.
You will get one 4662 for each
operation type which was performed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Ser ver [Type = UnicodeString]: has “DS ” value for this event.
Object Type [Type = UnicodeString]: type or class of the object that was accessed. Some of the common
Active Directory object types and classes are:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of Object Type open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Object Name [Type = UnicodeString]: distinguished name of the object that was accessed.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4661: A handle to an object
was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Operation:
Operation Type [Type = UnicodeString]: the type of operation which was performed on an object. Typically
has “Object Access” value for this event.
Accesses [Type = UnicodeString]: the type of access used for the operation. See “Table 9. Active Directory
Access Codes and Rights.” for more information.
Access Mask [Type = HexInt32]: hexadecimal mask for the type of access used for the operation. See “Table
9. Active Directory Access Codes and Rights.” for more information.
Proper ties [Type = UnicodeString]: first part is the type of access that was used. Typically has the same
value as Accesses field.
Second part is a tree of GUID values of Active Directory classes or property sets, for which operation was
performed.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (Rights-GUID field),
“property set name” and details here: https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx.
Here is an example of decoding of Proper ties field:
P RO P ERT IES T RA N SL AT IO N
{bf967a86-0de6-11d0-a285-00aa003049e2} Computer
{91e647de-d96f-4b70-9557-d63ff4f3ccd8} Private-Information property set
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05} ms-PKI-RoamingTimeStamp
{b3f93023-9239-4f7c-b99c-6745d87adbc2} ms-PKI-DPAPIMasterKeys
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} ms-PKI-AccountCredentials
Additional Information:
Parameter 1 [Type = UnicodeString]: there is no information about this field in this document.
Parameter 2 [Type = UnicodeString]: there is no information about this field in this document.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor operations attempts to specific Active Directory classes, monitor for Object Type
field with specific class name. For example, we recommend that you monitor all operations attempts to
domainDNS class.
If you need to monitor operations attempts to specific Active Directory objects, monitor for Object Name
field with specific object name. For example, we recommend that you monitor all operations attempts to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
Some access types are more important to monitor, for example:
Write Property
Control Access
DELETE
WRITE_DAC
WRITE_OWNER
You can decide to monitor these (or one of these) access types for specific Active Directory objects. To
do so, monitor for Accesses field with specific access type.
If you need to monitor operations attempts to specific Active Directory properties, monitor for Proper ties
field with specific property GUID.
Do not forget that Failure attempts are also very important to audit. Decide where you want to monitor
Failure attempts based on previous recommendations.
4661(S, F): A handle to an object was requested.
6/6/2019 • 12 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service Access
and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing is
enabled for the Audit Handle Manipulation
subcategory.
Event XML :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>
Required Ser ver Roles: For an Active Directory object, the domain controller role is required. For a SAM object,
there is no required role.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID]: SID of account that requested a handle to an object. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security Account Manager ” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID , such as “4660(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID .
These access rights depend on Object Type . See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or other
informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about SAM object
access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Deleg ation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Proper ties [Type = UnicodeString]: depends on Object Type . This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object was
requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types .
Security Monitoring Recommendations
For 4661(S, F): A handle to an object was requested.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
Audit Directory Service Changes
12/24/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Changes determines whether the operating system generates audit events when changes
are made to objects in Active Directory Domain Services (AD DS).
Auditing of directory service objects can provide information about the old and new properties of the objects that
were changed.
Audit events are generated only for objects with configured system access control lists (SACLs), and only when
they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit
events to be generated due to settings on the object class in the schema.
This subcategory only logs events on domain controllers.
Event volume : High on domain controllers.
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or
deleted.
Events List:
5136(S): A directory service object was modified.
5137(S): A directory service object was created.
5138(S): A directory service object was undeleted.
5139(S): A directory service object was moved.
5141(S): A directory service object was deleted.
5136(S): A directory service object was modified.
6/6/2019 • 7 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is modified.
To generate this event, the modified object
must have an appropriate entry in SACL: the
“Write” action auditing for specific attributes.
For a change operation you will typically see
two 5136 events for one action, with different
Operation\Type fields: “Value Deleted” and
then “Value Added”. “Value Deleted” event
typically contains previous value and “Value
Added” event contains new value.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Director y Ser vice:
Name [Type = UnicodeString]: the name of the Active Directory domain where the modified object is
located.
Type [Type = UnicodeString]: has “Active Director y Domain Ser vices ” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was modified.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID]: each Active Directory object has globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was modified. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Attribute:
LDAP Display Name [Type = UnicodeString]: the object attribute that was modified.
Note LDAP Display Name is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write
the attribute by using the LDAP protocol.
Syntax (OID) [Type = UnicodeString]: The syntax for an attribute defines the storage representation, byte
ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a
number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax.
The syntaxes are not represented as objects in the schema, but they are programmed to be understood by
Active Directory. The allowable syntaxes in Active Directory are predefined.
O ID SY N TA X N A M E DESC RIP T IO N
Value [Type = UnicodeString]: the value which was added or deleted, depending on the Operation\Type field.
Operation:
Type [Type = UnicodeString]: type of performed operation.
Value Added – new value added.
Value Deleted – value deleted (typically “Value Deleted” is a part of change operation).
Correlation ID [Type = GUID]: multiple modifications are often executed as one operation via LDAP. This value
allows you to correlate all the modification events that comprise the operation. Just look for other events from
current subcategory with the same Correlation ID , for example “5137: A directory service object was created.”
and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor modifications to specific Active Directory objects, monitor for DN field with specific
object name. For example, we recommend that you monitor all modifications to
“CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.
If you need to monitor modifications to specific Active Directory classes, monitor for Class field with specific
class name. For example, we recommend that you monitor all modifications to domainDNS class.
If you need to monitor modifications to specific Active Directory attributes, monitor for LDAP Display
Name field with specific attribute name.
It is better to monitor Operation\Type = Value Added events, because you will see the new value of
attribute. At the same time you can correlate to previous Operation\Type = Value Deleted event with the
same Correlation ID to see the previous value.
5137(S): A directory service object was created.
6/6/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is created.
This event only generates if the parent object
has a particular entry in its SACL: the “Create ”
action, auditing for specific classes or objects.
An example is the “Create Computer
objects ” action auditing for the organizational
unit.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5137</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:36:26.048167500Z" />
<EventRecordID>410737</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3156" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{4EAD68FF-7229-42A4-8C73-AAB57169858B}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">cn=Win2000,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}</Data>
<Data Name="ObjectClass">computer</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Director y Ser vice:
Name [Type = UnicodeString]: the name of an Active Directory domain, where new object is created.
Type [Type = UnicodeString]: has “Active Director y Domain Ser vices ” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was created.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID]: each Active Directory object has globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was created. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID]: multiple modifications are often executed as one operation via LDAP. This value
allows you to correlate all the modification events that comprise the operation. Just look for other events from
current subcategory with the same Correlation ID , for example “5136: A directory service object was
modified.” and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor creation of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor all new group policy objects creations:
groupPolicyContainer class.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get
5137. There is no reason to audit all creation events for all types of Active Directory objects; find the most
important locations (organizational units, folders, etc.) and monitor for creation of specific classes only
(user, computer, group, etc.).
5138(S): A directory service object was undeleted.
6/6/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5138</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T04:34:20.611082300Z" />
<EventRecordID>229336</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="544" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3be49</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted
Objects,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=Andrei,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{53511188-BC98-4995-9D78-2D40143C9711}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: name of account that requested that the object be undeleted or
restored.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Director y Ser vice:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was undeleted.
Type [Type = UnicodeString]: has “Active Director y Domain Ser vices ” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of undeleted object. It will points to Active Directory
Recycle Bin folder, in case if it was restored from it.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
New DN [Type = UnicodeString]: New distinguished name of undeleted object. The Active Directory
container to which the object was restored.
GUID [Type = GUID]: each Active Directory object has globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other object
properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that
value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was undeleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID]: multiple modifications are often executed as one operation via LDAP. This value
allows you to correlate all the modification events that comprise the operation. Just look for other events from
current subcategory with the same Correlation ID , for example “5137: A directory service object was created.”
and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes,
monitor for Class field with specific class name.
It may be a good idea to monitor all undelete events, because the operation is not performed very often.
Confirm that there is a reason for the object to be undeleted.
5139(S): A directory service object was moved.
6/6/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Directory
Service Changes
Event Description:
This event generates every time an
Active Directory object is moved.
This event only generates if the
destination object has a particular
entry in its SACL: the “Create ” action,
auditing for specific classes or objects.
An example is the “Create
Computer objects ” action, auditing
for the organizational unit.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5139</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T06:26:07.019116600Z" />
<EventRecordID>409532</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{67A42C05-A70D-4348-AF19-E883CB1FCA9C}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=NewUser,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=NewUser,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{06713960-9CC3-4B5D-A594-35883A04F934}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “move object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Director y Ser vice:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was moved.
Type [Type = UnicodeString]: has “Active Director y Domain Ser vices ” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of moved object.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
New DN [Type = UnicodeString]: New distinguished name of moved object. The Active Directory container
to which the object was moved.
GUID [Type = GUID]: each Active Directory object has globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was moved. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID]: multiple modifications are often executed as one operation via LDAP. This value
allows you to correlate all the modification events that comprise the operation. Just look for other events from
current subcategory with the same Correlation ID , for example “5137: A directory service object was created.”
and “5141: A directory service object was deleted.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor movement of Active Directory objects with specific classes, monitor for Class field
with specific class name.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5139. There is no reason to audit all movement events for all types of Active Directory objects, you need
to find the most important locations (organizational units, folders, etc.) and monitor for movement of
specific classes only to these locations (user, computer, group, etc.).
5141(S): A directory service object was deleted.
6/6/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is deleted.
This event only generates if the deleted object
has a particular entry in its SACL: the “Delete”
action, auditing for specific objects.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5141</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:48:06.792762900Z" />
<EventRecordID>411118</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{C8A9000C-C618-4EE9-87FF-F852C0564F18}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=WIN2003,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{CA15B875-AFB1-4E5A-86B2-96E61DE09110}</Data>
<Data Name="ObjectClass">computer</Data>
<Data Name="TreeDelete">%%14679</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Director y Ser vice:
Name [Type = UnicodeString]: the name of an Active Directory domain, where the object was deleted.
Type [Type = UnicodeString]: has “Active Director y Domain Ser vices ” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was deleted.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
GUID [Type = GUID]: each Active Directory object has globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object. For deleted objects GUID will be resolved to
new destination of object, for example: OU=My\0ADEL:cc94c0d7-dd53-4061-9791-
e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was deleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Director y Schema\Classes . Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Tree Delete [Type = UnicodeString]:
Yes – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree
server control” check box was checked during delete operation using Active Directory Users and
Computers management console.
No – delete operation was performed without “Delete Subtree” server control.
Correlation ID [Type = GUID]: multiple modifications are often executed as one operation via LDAP. This value
allows you to correlate all the modification events that comprise the operation. Just look for other events from
current subcategory with the same Correlation ID , for example “5137: A directory service object was created.”
and “5139: A directory service object was moved.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor deletion of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor for group policy objects deletions:
groupPolicyContainer class.
If you need to monitor deletion of specific Active Directory objects, monitor for DN field with specific object
name. For example, if you have critical Active Directory objects which should not be deleted, monitor for
their deletion.
Audit Directory Service Replication
12/18/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Directory Service Replication determines whether the operating system generates audit events when
replication between two domain controllers begins and ends.
Event volume : Medium on domain controllers.
Events List:
4932(S): Synchronization of a replica of an Active Directory naming context has begun.
4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
4932(S): Synchronization of a replica of an Active
Directory naming context has begun.
6/6/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4932</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T02:06:03.814642100Z" />
<EventRecordID>413689</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="276" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">48</Data>
<Data Name="StartUSN">20869</Data>
</EventData>
</Event>
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Note Active Directory replication does not depend on time to determine what changes need to be propagated.
It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter that is local
to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and
never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN
assigned on one domain controller to a USN assigned on a different domain controller. The replication system
is designed with this restriction in mind.
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4933</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-01T20:58:28.854735700Z" />
<EventRecordID>413644</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2288" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">40</Data>
<Data Name="EndUSN">20869</Data>
<Data Name="StatusCode">1722</Data>
</EventData>
</Event>
Note The Director y Replication Agent (DRA) handles replication between domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a domain controller when the domain controller needs to update its copy of Active Directory.
Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.
Note The LDAP API references an LDAP object by its distinguished name (DN) . A DN is a sequence of
relative distinguished names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName
Note Active Directory replication does not depend on time to determine what changes need to be propagated.
It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter that is local
to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and
never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN
assigned on one domain controller to a USN assigned on a different domain controller. The replication system
is designed with this restriction in mind.
Status Code [Type = UInt32]: if there are no issues or errors, the status code will be “0 ”. If an error happened,
you will receive Failure event and Status Code will not be equal to “0 ”. You can check error code meaning here:
https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx
Applies to
Windows 10
Windows Server 2016
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an
account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer
because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume : Low.
This subcategory failure logon attempts, when account was already locked out.
Events List:
4625(F): An account failed to log on.
4625(F): An account failed to log on.
6/6/2019 • 13 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon attempt
after which the account was locked out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation, then
event will be logged on this workstation.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains
the list of possible values for this field.
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out ” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234 ” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC0000192 An attempt was made to logon, but the Netlogon service was
not started.
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Por t [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon
attempt. See event “4611: A trusted logon process has been registered with the Local Security Authority”
description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was used
for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at
runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local
Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security
Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with
the package name. The most common authentication packages are:
NTLM – NTLM-family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate
selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the
calling application did not provide sufficient information to use Kerberos.
Transited Ser vices [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft
extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on
behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a
user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package (NTLM-
family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM” .
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos” , because it is not applicable
for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate
authentication package.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID .
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type
4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this
event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high value
assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name .
If a specific account, such as a service account, should only be used from your internal IP address list
(or some other list of IP addresses). In this case, you can monitor for Network Information\Source
Network Address and compare the network address with your list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this event
to monitor Package Name (NTLM only) , for example, to find events where Package Name
(NTLM only) does not equal NTLM V2 .
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
F IEL D VA L UE TO M O N ITO R F O R
Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.
Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
Audit User/Device Claims
12/18/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token.
Events in this subcategory are generated on the computer on which a logon session is created. For an interactive
logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
Impor tant : Audit Logon subcategory must also be enabled in order to get events from this subcategory.
Event volume :
Low on a client computer.
Medium on a domain controller or network servers.
Events List:
4626(S): User/Device claims information.
4626(S): User/Device claims information.
6/6/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit
User/Device Claims
Event Description:
This event generates for new
account logons and contains
user/device claims which were
associated with a new logon
session.
This event does not generate if
the user/device doesn’t have
claims.
For computer account logons
you will also see device claims
listed in the “User Claims ”
field.
You will typically get “4624: An
account was successfully logged
on” and after it a 4626 event
with the same information in
Subject , Logon Type and New
Logon sections.
This event generates on the
computer to which the logon
was performed (target
computer). For example, for
Interactive logons it will be the
same computer.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4626</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" />
<EventRecordID>232648</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b
<%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about claims.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
New Logon:
Security ID [Type = SID]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Event in sequence [Type = UInt32]: I f is there is not enough space in one event to put all claims, you will see “1
of N ” in this field and additional events will be generated. Typically this field has “1 of 1 ” value.
User Claims [Type = UnicodeString]: list of user claims for new logon session. This field contains user claims if
user account was logged in and device claims if computer account was logged in. Here is an example how to parse
the entrance of this field:
ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin”
cn – claim display name.
88d2b96fdb2b4c49 – unique claim ID.
<String> - claim type.
“dadmin” – claim value.
Device Claims [Type = UnicodeString]: list of device claims for new logon session. For user accounts this field
typically has “- “ value. For computer accounts this field has device claims listed.
Applies to
Windows 10
Windows Server 2016
Audit Group Membership enables you to audit group memberships when they are enumerated on the client
computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this
subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a
network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
You must also enable the Audit Logon subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume :
Low on a client computer.
Medium on a domain controller or network servers.
Events List:
4627(S): Group membership information.
4627(S): Group membership information.
5/31/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Group Membership
Event Description:
This event generates with “4624(S): An account was successfully logged on” and shows the list of groups that the
logged-on account belongs to.
You must also enable the Success audit for Audit Logon subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" />
<EventRecordID>3081</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="808" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-
5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %
{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about
successful logon or invokes it.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
New Logon:
Security ID [Type = SID]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”
Event in sequence [Type = UInt32]: I f is there is not enough space in one event to put all groups, you will see “1
of N ” in this field and additional events will be generated. Typically this field has “1 of 1 ” value.
Group Membership [Type = UnicodeString]: the list of group SIDs which logged account belongs to (member of).
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID ”.
If you need to track that a member of a specific group logged on to a computer, check the “Group
Membership ” field.
Audit IPsec Extended Mode
12/30/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and
Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used
for IPsec Extended Mode troubleshooting.
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.
4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem
persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4979(S): IPsec Main Mode and Extended Mode security associations were established.
4980(S): IPsec Main Mode and Extended Mode security associations were established.
4981(S): IPsec Main Mode and Extended Mode security associations were established.
4982(S): IPsec Main Mode and Extended Mode security associations were established.
4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has
been deleted.
4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has
been deleted.
Audit IPsec Main Mode
12/23/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and
Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Main Mode troubleshooting.
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.
Applies to
Windows 10
Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and
Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Quick Mode troubleshooting.
Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.
4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem
persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
5451(S): An IPsec Quick Mode security association was established.
5452(S): An IPsec Quick Mode security association ended.
Audit Logoff
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Logoff determines whether the operating system generates audit events when logon sessions are
terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are
generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down)
do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not
100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this
case, a logoff event is not generated.
Event volume : High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the
computer that was accessed. For an interactive logoff the security audit event is generated on the computer that
the user account logged on to.
Events List:
4634(S): An account was logged off.
4647(S): User initiated logoff.
4634(S): An account was logged off.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Logoff
Event Description:
This event shows that logon session was
terminated and no longer exists.
The main difference between “4647: User
initiated logoff.” and 4634 event is that 4647
event is generated when logoff procedure was
initiated by specific account using logoff
function, and 4634 event shows that session
was terminated and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You
will typically see both 4647 and 4634 events
when logoff procedure was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" />
<EventRecordID>230019</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="832" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was logged off.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was used. The table below contains the list of possible
values for this field:
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a particular Logon Type should not be used by a particular account (for example if Logon Type 4-Batch or
5-Service is used by a member of a domain administrative group), monitor this event for such actions.
4647(S): User initiated logoff.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Logoff
Event Description:
This event is generated when a logoff is
initiated. No further user-initiated activity can
occur. This event can be interpreted as a logoff
event.
The main difference with “4634(S): An account
was logged off.” event is that 4647 event is
generated when logoff procedure was initiated
by specific account using logoff function, and
4634 event shows that session was terminated
and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure
was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" />
<EventRecordID>230200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3864" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “logoff” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Audit Logon
1/6/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Logon determines whether the operating system generates audit events when a user attempts to log on
to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an
interactive logon, events are generated on the computer that was logged on to. For a network logon, such as
accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
Logon success and failure.
Logon attempts by using explicit credentials. This event is generated when a process attempts to log on
an account by explicitly specifying that account's credentials. This most commonly occurs in batch
configurations such as scheduled tasks, or when using the RunAs command.
Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume :
Low on a client computer.
Medium on a domain controllers or network servers.
Events List:
4624(S): An account was successfully logged on.
4625(F): An account failed to log on.
4648(S): A logon was attempted using explicit credentials.
4675(S): SIDs were filtered.
4624(S): An account was successfully
logged on.
2/7/2020 • 14 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Event XML:
<?xml version="1.0"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z"/>
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}"/>
<Execution ProcessID="716" ThreadID="760"/>
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
Account Name [Type = UnicodeString]: the name of the account that reported
information about successful logon.
Account Domain [Type = UnicodeString]: subject’s domain or computer
name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S): Special privileges assigned to new logon.”
Logon Information [Version 2]:
Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon which was
performed. The table below contains the list of possible values for this field.
Logon types and descriptions
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
Account Name [Type = UnicodeString]: the name of the account for which
logon was performed.
Account Domain [Type = UnicodeString]: subject’s domain or computer
name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S): Special privileges assigned to new logon.”
Linked Logon ID [Version 2] [Type = HexInt64]: A hexadecimal value of the
paired logon session. If there is no other logon session associated with this
logon session, then the value is “0x0 ”.
Network Account Name [Version 2] [Type = UnicodeString]: User name that
will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Network Account Domain [Version 2] [Type = UnicodeString]: Domain for
the user that will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Logon GUID [Type = GUID]: a GUID that can help you correlate this event with
another event that can contain the same Logon GUID , “4769(S, F): A Kerberos
service ticket was requested event on a domain controller.
It also can be used for correlation between a 4624 event and several other
events (on the same computer) that can contain the same Logon GUID ,
“4648(S): A logon was attempted using explicit credentials” and “4964(S):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as
“{00000000-0000-0000-0000-000000000000}”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that
attempted the logon. Process ID (PID) is a number used by the operating
system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the
values in Task Manager.
You can also correlate this process ID with a process ID in other events, for
example, “4688: A new process has been created” Process Information\New
Process ID .
Process Name [Type = UnicodeString]: full path and the name of the
executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon
attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine
from which logon attempt was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Por t [Type = UnicodeString]: source port which was used for logon
attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process
that was used for the logon. See event “4611: A trusted logon process has been
registered with the Local Security Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the
authentication package which was used for the logon authentication process.
Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other
packages can be loaded at runtime. When a new package is loaded a “4610: An
authentication package has been loaded by the Local Security Authority”
(typically for NTLM) or “4622: A security package has been loaded by the Local
Security Authority” (typically for Kerberos) event is logged to indicate that a
new package has been loaded along with the package name. The most
common authentication packages are:
NTLM – NTLM-family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos
and NTLM protocols. Negotiate selects Kerberos unless it cannot be
used by one of the systems involved in the authentication or the calling
application did not provide sufficient information to use Kerberos.
Transited Ser vices [Type = UnicodeString] [Kerberos-only]: the list of
transmitted services. Transmitted services are populated if the logon was a
result of a S4U (Service For User) logon process. S4U is a Microsoft extension
to the Kerberos Protocol to allow an application service to obtain a Kerberos
service ticket on behalf of a user – most commonly done by a front-end
website to access an internal resource on behalf of a user. For more
information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN
Manager sub-package (NTLM-family protocol name) that was used during
logon. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM” .
Key Length [Type = UInt32]: the length of NTLM Session Security key.
Typically it has 128 bit or 56 bit length. This parameter is always 0 if
“Authentication Package” = “Kerberos” , because it is not applicable for
Kerberos protocol. This field will also have “0” value if Kerberos was negotiated
using Negotiate authentication package.
High-value accounts : You might have Monitor this event with the “New
high-value domain or local accounts for which Logon\Security ID” that corresponds to the
you need to monitor each action. high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator
account, domain administrators, service
accounts, domain controller accounts and so
on.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
Anomalies or malicious actions : You When you monitor for anomalies or malicious
might have specific requirements for actions, use the “New Logon\Security ID”
detecting anomalies or monitoring potential (with other information) to monitor how or
malicious actions. For example, you might when a particular account is being used.
need to monitor for use of an account outside
of working hours.
Non-active accounts : You might have non- Monitor this event with the “New
active, disabled, or guest accounts, or other Logon\Security ID” that corresponds to the
accounts that should never be used. accounts that should never be used.
Account whitelist : You might have a specific If this event corresponds to a “whitelist-only”
whitelist of accounts that are the only ones action, review the “New Logon\Security
allowed to perform actions corresponding to ID” for accounts that are outside the
particular events. whitelist.
Accounts of different types : You might If this event corresponds to an action you
want to ensure that certain actions are want to monitor for certain account types,
performed only by certain account types, for review the “New Logon\Security ID” to see
example, local or domain account, machine or whether the account type is as expected.
user account, vendor or employee account,
and so on.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked
out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation,
then event will be logged on this workstation.
This event generates on domain controllers,
member servers, and workstations.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains
the list of possible values for this field.
LO GO N T Y P E LO GO N T IT L E DESC RIP T IO N
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out ” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234 ” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”
0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine
0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Por t [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the
logon attempt. See event “4611: A trusted logon process has been registered with the Local Security
Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was
used for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at
runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local
Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security
Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along
with the package name. The most common authentication packages are:
NTLM – NTLM-family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Ser vices [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM-family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM” .
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos” , because it is not
applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using
Negotiate authentication package.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ”
or “cain.exe ”), check for these substrings in “Process Name .”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID .
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon
Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type
in this event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name .
If a specific account, such as a service account, should only be used from your internal IP address list
(or some other list of IP addresses). In this case, you can monitor for Network
Information\Source Network Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only) , for example, to find events where Package Name
(NTLM only) does not equal NTLM V2 .
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
F IEL D VA L UE TO M O N ITO R F O R
Failure Information\Status or 0XC000015B – “The user has not been granted the
Failure Information\Sub Status requested logon type (aka logon right) at this machine”.
Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.
Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
4648(S): A logon was attempted using explicit
credentials.
5/31/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Logon
Event Description:
This event is generated when a process
attempts an account logon by explicitly
specifying that account’s credentials.
This most commonly occurs in batch-
type configurations such as scheduled
tasks, or when using the “RUNAS”
command.
It is also a routine event which
periodically occurs during normal
operating system activity.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" />
<EventRecordID>233200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31844</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x368</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the new logon session
with explicit credentials.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID , “4769(S, F): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer)
that can contain the same Logon GUID , “4624(S): An account was successfully logged on” and “4964(S):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Por t [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
High-value accounts : You might have high value domain or Monitor this event with the “Subject\Security ID” or
local accounts for which you need to monitor each action. “Account Whose Credentials Were Used\Security ID ”
Examples of high value accounts are database administrators, that correspond to the high value account or accounts.
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” and “Account Whose Credentials
malicious actions. For example, you might need to monitor for Were Used\Security ID ” (with other information) to
use of an account outside of working hours. monitor how or when a particular account is being used.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Account Whose Credentials Were Used\Security ID ”
used. that correspond to the accounts that should never be used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are allowed to perform actions corresponding the “Subject\Security ID” and “Account Whose
to particular events. Credentials Were Used\Security ID ” for accounts that are
outside the whitelist.
External accounts : You might be monitoring accounts from Monitor for the “Subject\Account Domain” or “Account
another domain, or “external” accounts that are not allowed Whose Credentials Were Used\Security ID ”
to perform the action corresponding to this event. corresponding to accounts from another domain or “external”
accounts.
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or
people (accounts) should not typically perform any actions. “Account Whose Credentials Were Used\Security ID ”
that you are concerned about.
For example, you might monitor to ensure that “Account
Whose Credentials Were Used\Security ID ” is not used
to log on to a certain computer.
Account naming conventions : Your organization might Monitor “Subject\Account Name” and “Account Whose
have specific naming conventions for account names. Credentials Were Used\Security ID ” for names that don’t
comply with naming conventions.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ”
or “cain.exe ”), check for these substrings in “Process Name .”
If Subject\Security ID should not know or use credentials for Account Whose Credentials Were
Used\Account Name , monitor this event.
If credentials for Account Whose Credentials Were Used\Account Name should not be used from
Network Information\Network Address , monitor this event.
Check that Network Information\Network Address is from internal IP address list. For example, if you
know that a specific account (for example, a service account) should be used only from specific IP
addresses, you can monitor for all events where Network Information\Network Address is not one of
the allowed IP addresses.
4675(S): SIDs were filtered.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust.
See more information about SID filtering here: https://technet.microsoft.com/library/cc772633(v=ws.10).aspx.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Security ID:%1
Account Name:%2
Account Domain:%3
Trust Information:
Trust Direction:%4
Trust Attributes:%5
Trust Type:%6
TDO Domain SID:%7
Filtered SIDs:%8
Applies to
Windows 10
Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection
(NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and
Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
Event volume : Medium to High on servers that are running Network Policy Server (NPS).
Role-specific subcategories are outside the scope of this document.
Domain IF IF IF IF IF – if a server
Controller has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.
Applies to
Windows 10
Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff
events.
These other logon or logoff events include:
A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected. This event indicates that a Kerberos request was received twice with identical
information. This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network. It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network. It can be either a user account or the computer
account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume : Low.
Events List:
4649(S): A replay attack was detected.
4778(S): A session was reconnected to a Window Station.
4779(S): A session was disconnected from a Window Station.
4800(S): The workstation was locked.
4801(S): The workstation was unlocked.
4802(S): The screen saver was invoked.
4803(S): The screen saver was dismissed.
5378(F): The requested credentials delegation was disallowed by policy.
5632(S): A request was made to authenticate to a wireless network.
5633(S): A request was made to authenticate to a wired network.
4649(S): A replay attack was detected.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event generates on domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the client.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and
microsecond fields from the Authenticator match recently seen entries in the cache, it will return
KRB_AP_ERR_REPEAT. You can read more about this in RFC-1510. One potential cause for this is a misconfigured
network device between the client and server that could send the same packet(s) repeatedly.
There is no example of this event in this document.
Subcategor y: Audit Other Logon/Logoff Events
Event Schema:
A replay attack was detected.
Subject:
Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4
Account Name:%5
Account Domain:%6
Process Information:
Process ID:%12
Process Name:%13
Network Information:
Workstation Name:%10
Request Type:%7
Logon Process:%8
Authentication Package:%9
Transited Services:%11
This event indicates that a Kerberos replay attack was detected- a request was received twice with identical
information. This condition could be caused by network misconfiguration."
Required Ser ver Roles: Active Directory domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user reconnects
to an existing Terminal Services session, or
when a user switches to an existing desktop
using Fast User Switching.
This event also generates when user
reconnects to virtual host Hyper-V Enhanced
Session, for example.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4778</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:05:29.743867200Z" />
<EventRecordID>237651</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2212" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#6</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>
Additional Information:
Client Name [Type = UnicodeString]: computer name from which the user was reconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the user was reconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL ” value for console session.
High-value accounts : You might have high-value domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Account Name”
types, for example, local or domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that
people (accounts) should not typically perform any actions. you are concerned about.
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name ) or disabled on
some computers, then monitor for Session Name = RDP-Tcp# (substring).
If a specific computer or device (Client Name or Client Address ) should never connect to this computer
(Computer ), monitor for any event with that Client Name or Client Address .
Check that Additional Information\Client Address is from internal IP addresses list.
4779(S): A session was disconnected from a Window
Station.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user
disconnects from an existing Terminal Services
session, or when a user switches away from an
existing desktop using Fast User Switching.
This event also generated when user
disconnects from virtual host Hyper-V
Enhanced Session, for example.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4779</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:04:41.044489800Z" />
<EventRecordID>237646</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#3</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>
Additional Information:
Client Name [Type = UnicodeString]: machine name from which the session was disconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the session was
disconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL ” value for console session.
High-value accounts : You might have high-value domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, domain administrators,
service accounts, domain controller accounts and so on.
Anomalies or malicious actions : You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.
Non-active accounts : You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.
Account whitelist : You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.
Accounts of different types : You might want to ensure If this event corresponds to an action you want to monitor for
that certain actions are performed only by certain account certain account types, review the “Subject\Account Name”
types, for example, local or domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
T Y P E O F M O N ITO RIN G REQ UIRED REC O M M EN DAT IO N
External accounts : You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another domain, or “external” accounts that are not allowed to corresponding to accounts from another domain or “external”
perform certain actions (represented by certain specific accounts.
events).
Restricted-use computers or devices : You might have Monitor the target Computer : (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that
people (accounts) should not typically perform any actions. you are concerned about.
For example, you might have computers to which connections If you have a target Computer : (or other target device) to
should not be made from certain accounts or addresses. which connections should not be made from certain accounts
or addresses, monitor this event for the corresponding Client
Name or Client Address .
Account naming conventions : Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name ) or disabled on
some computers, then monitor for Session Name = RDP-Tcp# (substring).
To ensure that connections are made only from your internal IP address list, monitor the Additional
Information\Client Address in this event.
4800(S): The workstation was locked.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a workstation
was locked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4800</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:02.430644500Z" />
<EventRecordID>237655</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2568" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “lock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of locked session. You can see the list of current session IDs using
“quer y session” command in command prompt. Example of output (see ID column):
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a machine was locked, and
which account was used to lock it.
4801(S): The workstation was unlocked.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when workstation was
unlocked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4801</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:05.886096400Z" />
<EventRecordID>237657</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="4540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “unlock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of unlocked session. You can see the list of current session IDs using
“quer y session” command in command prompt. Example of output (see ID column):
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a machine was unlocked, and
which account was used to unlock it.
4802(S): The screen saver was invoked.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
invoked.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4802</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:16:32.377883700Z" />
<EventRecordID>237662</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1676" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “invoke screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was invoked. You can see the list
of current session IDs using “quer y session” command in command prompt. Example of output (see ID
column):
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a screen saver was invoked on
a machine, and which account invoked it.
4803(S): The screen saver was dismissed.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
dismissed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4803</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:19:09.576094500Z" />
<EventRecordID>237663</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “dismiss screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was dismissed. You can see the
list of current session IDs using “quer y session” command in command prompt. Example of output (see ID
column):
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this is an informational event, and can give you information about when a screen saver was dismissed
on a machine, and which account dismissed it.
5378(F): The requested credentials delegation was
disallowed by policy.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff
Events
Event Description:
This event generates requested CredSSP
credentials delegation was disallowed by
CredSSP delegation policy.
It typically occurs when CredSSP delegation for
WinRM double-hop session was not set
properly.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5378</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T03:23:48.502346900Z" />
<EventRecordID>1198733</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4308" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2b1e04</Data>
<Data Name="Package">CREDSSP</Data>
<Data Name="UserUPN">dadmin@contoso</Data>
<Data Name="TargetServer">WSMAN/dc01.contoso.local</Data>
<Data Name="CredType">%%8098</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested credentials delegation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Credential Delegation Information:
Security Package [Type = UnicodeString]: the name of Security Package which was used. Always
CREDSSP for this event.
User's UPN [Type = UnicodeString]: UPN of the account for which delegation was requested.
Target Ser ver [Type = UnicodeString]: SPN of the target service for which delegation was requested.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use
for authentication. For example, an SPN always includes the name of the host computer on which the service
instance is running, so a service instance might register an SPN for each name or alias of its host.
Credential Type [Type = UnicodeString]: types of credentials which were presented for delegation:
Default credentials The credentials obtained when the user first logs on to
Windows.
Fresh credentials The credentials that the user is prompted for when executing
an application.
Saved credentials The credentials that are saved using Credential Manager.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have defined CredSSP delegation policy, then this event will show you policy violations. We
recommend collecting these events and investigating every policy violation.
This event also can be used for CredSSP delegation troubleshooting.
5632(S, F): A request was made to authenticate to a
wireless network.
6/6/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Logon/Logoff Events
Event Description:
This event generates when 802.1x authentication
attempt was made for wireless network.
It typically generates when network adapter
connects to new wireless network.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-10T23:10:34.052054800Z" />
<EventRecordID>44113845</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="4176" />
<Channel>Security</Channel>
<Computer>XXXXXXX.redmond.corp.microsoft.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SSID">Nokia</Data>
<Data Name="Identity">host/XXXXXXXX.redmond.corp.microsoft.com</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">18:64:72:F3:33:91</Data>
<Data Name="LocalMac">02:1A:C5:14:59:C9</Data>
<Data Name="IntfGuid">{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}</Data>
<Data Name="ReasonCode">0x0</Data>
<Data Name="ReasonText">The operation was successful.</Data>
<Data Name="ErrorCode">0x0</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString" />
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Note User principal name (UPN) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Name (SSID) [Type = UnicodeString]: SSID of the wireless network to which authentication request was sent.
Note A ser vice set identifier (SSID) is a sequence of characters that uniquely names a wireless local area
network (WLAN). An SSID is sometimes referred to as a "network name." This name allows stations to connect
to the desired network when multiple independent networks operate in the same physical area.
Interface GUID [Type = GUID]: GUID of the network interface which was used for authentication request.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other
Logon/Logoff Events
Event Description:
This event generates when 802.1x
authentication attempt was made
for wired network.
It typically generates when network
adapter connects to new wired
network.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5633</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T01:26:59.679232500Z" />
<EventRecordID>1198715</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="2920" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="InterfaceName">Microsoft Hyper-V Network Adapter</Data>
<Data Name="Identity">-</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="ReasonCode">0x70003</Data>
<Data Name="ReasonText">The network does not support authentication</Data>
<Data Name="ErrorCode">0x0</Data>
</EventData>
</Event>
Note User principal name (UPN) format is used to specify an Internet-style name, such as
UserName@Example.Microsoft.com.
Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Interface:
Name [Type = UnicodeString]: the name (description) of network interface which was used for authentication
request. You can get the list of all available network adapters using “ipconfig /all ” command. See “Description”
row for every network adapter:
Additional Information:
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason Code
for wired authentication results. See more information about reason codes for wired authentication here:
https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: unique EAP error code.
Applies to
Windows 10
Windows Server 2016
Audit Special Logon determines whether the operating system generates audit events under special sign on (or
log on) circumstances.
This subcategory allows you to audit events generated by special logons such as the following:
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to
elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a
member of a certain group has logged on to your network. You can configure a list of group security
identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory
is enabled, an event is logged.
Event volume :
Low on a client computer.
Medium on a domain controllers or network servers.
Events List:
4964(S): Special groups have been assigned to a new logon.
4672(S): Special privileges assigned to new logon.
4964(S): Special groups have been assigned to a new
logon.
2/7/2020 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Special Logon
Event Description:
This event occurs when an account that is a
member of any defined Special Group logs in.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4964</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T02:25:16.236443300Z" />
<EventRecordID>238923</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="5008" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd972e</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x139faf</Data>
<Data Name="TargetLogonGuid">{B03B6192-09AE-E77F-DD10-2DC430766040}</Data>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>
Note Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups
feature lets the administrator find out when a member of a certain group logs on to the computer. The Special
Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested logon for New Logon
account.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID , “4769(S, F): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID , “4648(S): A logon was attempted using explicit credentials” and
“4624(S): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
New Logon:
Security ID [Type = SID]: SID of account that performed the logon. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: the name of the account that performed the logon.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID , “4769(S, F): A Kerberos service ticket was requested event on a domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID , “4648(S): A logon was attempted using explicit credentials” and
“4624(S): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Special Groups Assigned [Type = UnicodeString]: the list of special group SIDs, which New
Logon\Security ID is a member of.
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T01:10:57.091809600Z" />
<EventRecordID>237692</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x671101</Data>
<Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege
SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account to which special privileges were
assigned.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Privileges [Type = UnicodeString]: the list of sensitive privileges, assigned to the new logon. The following table
contains the list of possible privileges for this event:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Deleg ation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor for this event where “Subject\Security ID ” is not one of these well-known security principals:
LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “Subject\Security ID ” is not an
administrative account that is expected to have the listed Privileges .
If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for
example, SeDebugPrivilege), use this event to monitor for those “Privileges .”
If you are required to monitor any of the sensitive privileges in the Event Description for this event, search for
those specific privileges in the event.
Audit Application Generated
12/20/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager applications.
Audit Application Generated subcategory is out of scope of this document, because Authorization Manager is very
rarely in use and it is deprecated starting from Windows Server 2012.
Events List:
4665: An attempt was made to create an application client context.
4666: An application attempted an operation.
4667: An application client context was deleted.
4668: An application was initialized.
Audit Certification Services
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory
Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
AD CS starts, shuts down, is backed up, or is restored.
Certificate revocation list (CRL)-related tasks are performed.
Certificates are requested, issued, or revoked.
Certificate manager settings for AD CS are changed.
The configuration and properties of the certification authority (CA) are changed.
AD CS templates are modified.
Certificates are imported.
A CA certificate is published to Active Directory Domain Services.
Security permissions for AD CS role services are modified.
Keys are archived, imported, or retrieved.
The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on ser vers that provide AD CS role ser vices.
Role-specific subcategories are outside the scope of this document.
Domain IF IF IF IF IF – if a server
Controller has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.
GEN ERA L GEN ERA L ST RO N GER ST RO N GER
C O M P UT ER T Y P E SUC C ESS FA IL URE SUC C ESS FA IL URE C O M M EN T S
Applies to
Windows 10
Windows Server 2016
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting
only records one event for any connection established between a client and file share. Detailed File Share audit
events include detailed information about the permissions or other criteria used to grant or deny access.
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all
shared files and folders on the system is audited.
Event volume :
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.
Events List:
5145(S, F): A network share object was checked to see whether client can be granted desired access.
5145(S, F): A network share object was checked to see
whether client can be granted desired access.
8/10/2019 • 9 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit
Detailed File Share
Event Description:
This event generates every
time network share object
(file or folder) was
accessed.
Important: Failure events
are generated only when
access is denied at the file
share level. No events are
generated if access was
denied on the file system
(NTFS) level.
Note For
recommendations, see
Security Monitoring
Recommendations for
this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:
(A;;FA;;;WD)</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File ” for this event.
The following table contains the list of the most common Object Types :
Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Por t [Type = UnicodeString]: source TCP or UDP port which was used from remote or local machine
to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is: \\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS) path for accessed share. The format is: \\??\PATH.
Can be empty, for example for Share Name : \\*\IPC$.
Relative Target Name [Type = UnicodeString]: relative name of the accessed target file or folder. This file-
path is relative to the network share. If access was requested for the share itself, then this field appears as “\ ”.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID .
These access rights depend on Object Type .
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirector y - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE ).
AddFile - For a directory, the right to
create a file in the directory.
Access Check Results [Type = UnicodeString]: the list of access check results. The format of the result is:
Note The Security Descriptor Definition Language (SDDL) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)
(A;;0×7;;;BA)S :ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS), WD (Everyone), SY (LOCAL_SYSTEM), etc. See the list of possible values in the
table below.
G: = Primary Group.
D: = DACL Entries.
S : = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD)
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
VA L UE DESC RIP T IO N VA L UE DESC RIP T IO N
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer :).
If you have critical files or folders on specific network shares, for which you need to monitor access attempts
(Success and Failure), monitor for specific Share Information\Share Name and Share
Information\Relative Target Name .
If you have domain or local accounts that should only be able to access a specific list of shared files or
folders, you can monitor for access attempts outside the allowed list.
We recommend that you monitor for these Access Request Information\Accesses rights (especially for
Failure):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Audit File Share
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access
attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all
shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the
source (IP address and port) of the request, and the user account that was used for the access.
Event volume :
High on file servers.
High on domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.
Events List:
5140(S, F): A network share object was accessed.
5142(S): A network share object was added.
5143(S): A network share object was modified.
5144(S): A network share object was deleted.
5168(F): SPN check for SMB/SMB2 failed.
5140(S, F): A network share object was accessed.
6/6/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit File Share
Event Description:
This event generates every time network share
object was accessed.
This event generates once per session, when
first access attempt was made.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File ” for this event.
The following table contains the list of the most common Object Types :
Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Por t [Type = UnicodeString]: source TCP or UDP port which was used from remote or local machine
to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is: \\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS) path for accessed share. The format is: \\??\PATH.
Can be empty, for example for Share Name : \\*\IPC$.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights. Has always “0x1 ” value for this event.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID .
These access rights depend on Object Type . Has always “ReadData (or ListDirector y) ” value for this
event.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor all access to all shares or specific shares
(“Share Name ”), monitor this event. For example, you could monitor share C$ on domain controllers.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer :).
If you need to monitor access attempts to local shares from a specific IP address (“Network
Information\Source Address”) , use this event.
If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific
shares (“Share Name ”), monitor this event for the “Access Type .”
5142(S): A network share object was added.
6/6/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit File Share
Event Description:
This event generates every time network share
object was added.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5142</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:27:01.206646900Z" />
<EventRecordID>268462</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4304" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the added share object. The format is: \\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS) path for the added share object. The format is:
\\??\PATH.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor creation of new file shares, monitor this
event. For example, you could monitor domain controllers.
We recommend checking “Share Path ”, because it should not point to system directories, such as
C:\Windows or C:\ , or to critical local folders which contain private or high value information.
5143(S): A network share object was modified.
8/10/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5143</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:42:56.743298600Z" />
<EventRecordID>268483</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ObjectType">Directory</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
<Data Name="OldRemark">N/A</Data>
<Data Name="NewRemark">N/A</Data>
<Data Name="OldMaxUsers">0xffffffff</Data>
<Data Name="NewMaxUsers">0xffffffff</Data>
<Data Name="OldShareFlags">0x800</Data>
<Data Name="NewShareFlags">0x800</Data>
<Data Name="OldSD">O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)
</Data>
<Data Name="NewSD">O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)
(A;OICI;FA;;;BA)</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Object Type [Type = UnicodeString]: The type of an object that was modified. Always “Director y ” for this
event.
The following table contains the list of the most common Object Types :
Share Name [Type = UnicodeString]: the name of the modified share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS) path for the added share object. The format is:
\\??\PATH. Can be empty, for example for Share Name : \\*\IPC$.
Old Remark [Type = UnicodeString]: the old value of network share “Comments:” field. Has “N/A ” value if
it is not set.
New Remark [Type = UnicodeString]: the new value of network share “Comments:” field. Has “N/A ” value
if it is not set.
Old MaxUsers [Type = HexInt32]: old hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF ” value if the number of connections is unlimited.
New Maxusers [Type = HexInt32]: new hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF ” value if the number of connections is unlimited.
Old ShareFlags [Type = HexInt32]: old hexadecimal value of “Offline Settings ” caching settings window
flags.
New ShareFlags [Type = HexInt32]: new hexadecimal value of “Offline Settings ” caching settings
window flags.
Old SD [Type = UnicodeString]: the old Security Descriptor Definition Language (SDDL) value for network
share security descriptor.
New SD [Type = UnicodeString]: the new Security Descriptor Definition Language (SDDL) value for network
share security descriptor.
Note The Security Descriptor Definition Language (SDDL) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)
(A;;0×7;;;BA)S :ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS), WD (Everyone), SY (LOCAL_SYSTEM), etc. See the list of possible values in the
table below:
G: = Primary Group.
D: = DACL Entries.
S : = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD)
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have high-value computers for which you need to monitor all modifications to all shares or specific shares
(“Share Name ”), monitor this event. For example, you could monitor all changes to the SYSVOL share on
domain controllers.
5144(S): A network share object was deleted.
6/6/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit File Share
Event Description:
This event generates every time a network
share object is deleted.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5144</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:17:14.820551800Z" />
<EventRecordID>268368</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4656" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the deleted share object. The format is: \\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS) path for the deleted share object. The format is:
\\??\PATH.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical network shares for which you need to monitor all changes (especially, the deletion of that
share), monitor for specific “Share Information\Share Name”.
If you have high-value computers for which you need to monitor all changes (especially, deletion of file
shares), monitor for all 5144 events on these computers. For example, you could monitor file shares on
domain controllers.
5168(F): SPN check for SMB/SMB2 failed.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit File
Share
Event Description:
This event generates when
SMB SPN check fails.
It often happens because of
NTLMv1 or LM protocols
usage from client side when
“Microsoft Network Server:
Server SPN target name
validation level” group policy
set to “Require from client”
on server side. SPN only
sent to server when NTLMv2
or Kerberos protocols are
used, and after that SPN can
be validated.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5168</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T17:53:40.294859800Z" />
<EventRecordID>268946</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="80" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd0cd4</Data>
<Data Name="SpnName">N/A</Data>
<Data Name="ErrorCode">0xc0000022</Data>
<Data Name="ServerNames">CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;</Data>
<Data Name="ConfiguredNames">N/A</Data>
<Data Name="IpAddresses">127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account for which SPN check operation was failed.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
SPN :
SPN Name [Type = UnicodeString]: SPN which was used to access the server. If SPN was not provided, then the
value will be “N/A”.
Note Ser vice Principal Name (SPN) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use
for authentication. For example, an SPN always includes the name of the host computer on which the service
instance is running, so a service instance might register an SPN for each name or alias of its host.
Error Code [Type = HexInt32]: hexadecimal error code, for example “0xC0000022” = STATUS_ACCESS_DENIED.
You can find description for all SMB error codes here: https://msdn.microsoft.com/library/ee441884.aspx.
Ser ver Information :
Ser ver Names [Type = UnicodeString]: information about possible server names to use to access the target
server (NETBIOS, DNS, localhost, etc.).
Configured Names [Type = UnicodeString]: information about the names which were provided for
validation. If no information was provided the value will be “N/A ”.
IP Addresses [Type = UnicodeString]: information about possible IP addresses to use to access the target
server (IPv4, IPv6).
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring for any 5168 event, because it can be a sign of a configuration issue or a malicious
authentication attempt.
Audit File System
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit File System determines whether the operating system generates audit events when users attempt to
access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only
if the type of access requested (such as Write, Read, or Modify) and the account making the request match the
settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra
monitoring.
Event volume : Varies, depending on how file system SACLs are configured.
No audit events are generated for the default file system SACLs.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion
and permissions change operations and hard link creation actions.
Only one event, “4658: The handle to an object was closed,” depends on the Audit Handle Manipulation
subcategory (Success auditing must be enabled). All other events generate without any additional
configuration.
Domain IF IF IF IF We strongly
Controller recommend that
you develop a
File System
Security
Monitoring
policy and define
appropriate
SACLs for file
system objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
file system
objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a File
System Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4656(S, F): A handle to an object was requested.
4658(S): The handle to an object was closed.
4660(S): An object was deleted.
4663(S): An attempt was made to access an object.
4664(S): An attempt was made to create a hard link.
4985(S): The state of a transaction has changed.
5051(-): A file was virtualized.
4670(S): Permissions on an object were changed.
4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S): An attempt was made to access an
object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was requested.
Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4660(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID . These
access rights depend on Object Type . The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirector y - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE ).
AddFile - For a directory, the right to
create a file in the directory.
H EXA DEC IM A L VA L UE,
A C C ESS SC H EM A VA L UE DESC RIP T IO N
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Deleg ation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types .
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object, Audit
Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be closed.
Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
4660(S): An object was deleted.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Kernel Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID)
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4656(S, F): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
4663(S): An attempt was made to access an object.
5/31/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID (PID)
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID . These
access rights depend on Object Type . The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
H EX VA L UE,
A C C ESS SC H EM A VA L UE DESC RIP T IO N
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirector y - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE ).
AddFile - For a directory, the right to
create a file in the directory.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name .
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses .
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes .
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses .
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4664(S): An attempt was made to create a hard link.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit File System
Event Description:
This event generates when an NTFS hard link
was successfully created.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4664</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-21T23:50:26.871375900Z" />
<EventRecordID>276680</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2624" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="FileName">C:\\notepad.exe</Data>
<Data Name="LinkName">C:\\Docs\\My.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Required Ser ver Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID]: SID of account that made an attempt to create the hard link. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to create the hard
link.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Link Information:
File Name [Type = UnicodeString]: the name of a file or folder that new hard link refers to.
Link Name [Type = UnicodeString]: full path name with new hard link file name.
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4660(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Non Sensitive Privilege Use, Audit Other
Privilege Use Events, and Audit Sensitive
Privilege Use
Event Description:
This is an informational event from file
system Transaction Manager.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4985</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-19T00:00:40.099093300Z" />
<EventRecordID>274277</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TransactionId">{17EF5E21-5E2C-11E5-810F-00155D987005}</Data>
<Data Name="NewState">52</Data>
<Data Name="ResourceManager">{5F5ED427-FCCA-11E3-BD73-B54AB417B853}</Data>
<Data Name="ProcessId">0x370</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that changed the state of the transaction.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Transaction Information:
RM Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4656(S, F): A handle to an object was
requested.”
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
New State [Type = UInt32]: identifier of the new state of the transaction.
Resource Manager [Type = GUID]: unique GUID-Identifier of the Resource Manager which associated with
this transaction.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the state of the
transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Applies to
Windows 10
Windows Server 2016
This event should be generated when file was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV file virtualization.
There is no example of this event in this document.
Subcategor y: Audit File System
Event Schema:
A file was virtualized.
Subject:
Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4
Object:
File Name:%5
Virtual File Name:%6
Process Information:
Process ID:%7
Process Name%8
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a file
system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language (SDDL)
value for the object.
Note The Security Descriptor Definition Language (SDDL) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)
(A;;0×7;;;BA)S :ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS), WD (Everyone), SY (LOCAL_SYSTEM), etc. See the list of possible values in the
table below:
G: = Primary Group.
D: = DACL Entries.
S : = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD)
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.
object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on domain controllers.
Audit Filtering Platform Connection
1/3/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Connection determines whether the operating system generates audit events when
connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked
and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming
connections applications.
Event volume : High.
Events List:
5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the
network.
5150(-): The Windows Filtering Platform blocked a packet.
5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for
incoming connections.
5156(S): The Windows Filtering Platform has permitted a connection.
5157(F): The Windows Filtering Platform has blocked a connection.
5158(S): The Windows Filtering Platform has permitted a bind to a local port.
5159(F): The Windows Filtering Platform has blocked a bind to a local port.
5031(F): The Windows Firewall Service blocked an
application from accepting incoming connections on
the network.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event generates when an application was
blocked from accepting incoming connections
on the network by Windows Filtering Platform.
If you don’t have any firewall rules (Allow or
Deny) in Windows Firewall for specific
applications, you will get this event from
Windows Filtering Platform layer, because by
default this layer is denying any incoming
connections.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5031</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:36.634473000Z" />
<EventRecordID>304373</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2976" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Profiles">Domain</Data>
<Data Name="Application">C:\\documents\\listener.exe</Data>
</EventData>
</Event>
Applies to
Windows 10
Windows Server 2016
This event is logged if the Windows Filtering Platform MAC filter blocked a packet.
There is no example of this event in this document.
Subcategor y: Audit Filtering Platform Connection
Event Schema:
The Windows Filtering Platform has blocked a packet.
Network Information:
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform MAC filter has blocked a packet.
There is no example of this event in this document.
Subcategor y: Audit Filtering Platform Connection
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Network Information:
Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7
Filter Information:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to listen on a port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5154</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T02:04:25.757462900Z" />
<EventRecordID>287929</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3968" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4152</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">4444</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpar t utility. The command to get volume numbers using diskpart is “list volume” :
Network Information:
Source Address [Type = UnicodeString]: local IP address on which application requested to listen on the
port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: source TCP\UDP port number which was requested for listening by
application.
Protocol [Type = UInt32]: protocol number. For example:
6 – TCP.
17 – UDP.
More information about possible values for this field:
https://technet.microsoft.com/library/cc959827.aspx.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to listen on the specific port.
By default Windows firewall won't prevent a port from being listened by an application and if this
application doesn’t match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring with
required layer ID (<layerId> ), for example:
Security Monitoring Recommendations
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
If you have a “whitelist” of applications that are associated with certain operating systems or server roles,
and that are expected to listen on specific ports, monitor this event for “Application Name” and other
relevant information.
If a certain application is allowed to listen only on specific port numbers, monitor this event for
“Application Name” and “Network Information\Source Por t .”
If a certain application is allowed to listen only on a specific IP address, monitor this event for “Application
Name” and “Network Information\Source Address .”
If a certain application is allowed to use only TCP or UDP protocols, monitor this event for “Application
Name” and the protocol number in “Network Information\Protocol .”
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application ” not equal to your defined application.
You can monitor to see if “Application ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz ” or “cain.exe ”), check for these substrings in “Application .”
Typically this event has an informational purpose.
5155(F): The Windows Filtering Platform has blocked
an application or service from listening on a port for
incoming connections.
9/10/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
By default Windows firewall won't prevent a port from being listened by an application. In the other word,
Windows system will not generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event:
https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx.
Subcategor y: Audit Filtering Platform Connection
Event Description:
This event generates every time the Windows Filtering Platform blocks an application or service from listening on a
port for incoming connections.
Event XML:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5155</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" />
<EventRecordID>42196</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2788" />
<Channel>Security</Channel>
<Computer>NATHAN-AGENT2</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">2628</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84576</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>
Required Ser ver Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information :
Process ID [Type = Pointer]: Hexadecimal Process ID (PID) of the process which was permitted to bind to
the local port. The PID is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Application Name [Type = UnicodeString]: Full path and the name of the executable for the process.
Logical disk is displayed in the format \device\harddiskvolume#. You can get all local volume numbers by
using the diskpar t utility. The command to get volume numbers using diskpart is “list volume ”:
Network Information:
Source Address [Type = UnicodeString]: The local IP address of the computer running the application.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: The port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: A unique filter ID which blocks the application from binding to the
port. By default, Windows firewall won't prevent a port from binding to an application, and if this application
doesn’t match any filters, you will get a 0 value in this field.
To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: netsh
wfp show filters . As a result of this command, a filters.xml file will be generated. You need to open this
file and find the specific substring with the required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find a specific Windows
Filtering Platform layer ID, you need to execute the following command: netsh wfp show state . As result of
this command, a wfpstate.xml file will be generated. You need to open this file and find the specific
substring with the required layer ID (<layerId> ), for example:
Security Monitoring Recommendations
If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you
can use this event for troubleshooting and monitoring.
5156(S): The Windows Filtering Platform has
permitted a connection.
10/23/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has allowed a
connection.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5156</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:22.622090200Z" />
<EventRecordID>308129</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49278</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">70201</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of allowed connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: IP address from which the connection was initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: port number from which the connection was initiated.
Destination Address [Type = UnicodeString]: IP address where the connection was received.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Por t [Type = UnicodeString]: port number where the connection was received.
Protocol [Type = UInt32]: number of protocol which was used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allowed the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId> ), for example:
Security Monitoring Recommendations
For 5156(S): The Windows Filtering Platform has permitted a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application ” not equal to your defined application.
You can monitor to see if “Application ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz ” or “cain.exe ”), check for these substrings in “Application .”
Check that “Source Address” is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5156 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address .”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5156 events with that
“Source Por t .”
Monitor for all connections with a “Protocol Number ” that is not typical for this device or computer, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Por t ,” monitor for any other “Destination Por t .”
5157(F): The Windows Filtering Platform has blocked
a connection.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has blocked a
connection.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5157</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:51.662750400Z" />
<EventRecordID>304390</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49218</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">110398</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Por t [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Protocol [Type = UInt32]: number of protocol which was used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result
of this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId> ), for example:
Security Monitoring Recommendations
For 5157(F): The Windows Filtering Platform has blocked a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application ” not equal to your defined application.
You can monitor to see if “Application ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz ” or “cain.exe ”), check for these substrings in “Application .”
Check that “Source Address” is one of the addresses assigned to the computer.
If the` computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5157 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address .”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5157 events with that
“Source Por t .”
Monitor for all connections with a “Protocol Number ” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Por t ,” monitor for any other “Destination Por t .”
5158(S): The Windows Filtering Platform has
permitted a bind to a local port.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to bind to a local
port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5158</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:03.376171200Z" />
<EventRecordID>308122</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpar t utility. The command to get volume numbers using diskpart is “list volume” :
Network Information:
Source Address [Type = UnicodeString]: local IP address on which application was bind the port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: port number which application was bind.
Protocol [Type = UInt32]: number of protocol which was used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to bind the port. By default
Windows firewall won't prevent a port from being binded by an application and if this application doesn’t
match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId> ), for example:
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Connection
Event Description:
This event is logged if the Windows
Filtering Platform has blocked a bind to a
local port.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5159</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
<EventRecordID>44097</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="6480" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">7924</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84614</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpar t utility. The command to get volume numbers using diskpart is “list volume” :
Network Information:
Source Address [Type = UnicodeString]: the local IP address of the computer running the application.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: the port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocks the application from binding to the port.
By default, Windows firewall won't prevent a port from binding by an application, and if this application
doesn’t match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As a result of this command, filters.xml file will be generated. You need to open this file
and find the specific substring with the required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring with
required layer ID (<layerId> ), for example:
Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when
packets are dropped by the Windows Filtering Platform.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to
computers on your network.
Event volume : High.
Events List:
5152(F): The Windows Filtering Platform blocked a packet.
5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
5152(F): The Windows Filtering Platform blocked a
packet.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Filtering Platform
Packet Drop
Event Description:
This event generates when Windows
Filtering Platform has blocked a
network packet.
This event is generated for every
received network packet.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T16:52:37.274367300Z" />
<EventRecordID>321323</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4456" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.100</Data>
<Data Name="SourcePort">49278</Data>
<Data Name="DestAddress">10.0.0.10</Data>
<Data Name="DestPort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the packet.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Por t [Type = UnicodeString]: port number on which application received the packet.
Destination Address [Type = UnicodeString]: IP address from which packet was received or initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Por t [Type = UnicodeString]: port number which was used from remote machine to send the
packet.
Protocol [Type = UInt32]: number of protocol which was used.
SERVIC E P ROTO C O L N UM B ER
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the packet.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters . As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId> ), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state . As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId> ), for example:
Security Monitoring Recommendations
For 5152(F): The Windows Filtering Platform blocked a packet.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application ” not equal to your defined application.
You can monitor to see if “Application ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz ” or “cain.exe ”), check for these substrings in “Application .”
Check that Source Address is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5152 events where Destination Address is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address .”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5152 events with that
“Source Por t .”
Monitor for all connections with a “Protocol Number ” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Por t ,” monitor for any other “Destination Por t .”
5153(S): A more restrictive Windows Filtering Platform
filter has blocked a packet.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
There is no example of this event in this document.
Subcategor y: Audit Filtering Platform Packet Drop
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Application Information:
Process ID:%1
Application Name:%2
Network Information:
Source Address:%3
Source Port:%4
Protocol:%5
Filter Information:
Applies to
Windows 10
Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File
System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows
object’s handle duplication and close actions.
Event volume : High.
Domain No No No No Typically,
Controller information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or Failure
auditing, unless
you know exactly
what you need
to monitor in
Object’s Handles
level.
GEN ERA L GEN ERA L ST RO N GER ST RO N GER
C O M P UT ER T Y P E SUC C ESS FA IL URE SUC C ESS FA IL URE C O M M EN T S
Workstation No No No No Typically,
information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or Failure
auditing, unless
you know exactly
what you need
to monitor in
Object’s Handles
level.
Events List:
4658(S): The handle to an object was closed.
4690(S): An attempt was made to duplicate a handle to an object.
4658(S): The handle to an object was closed. For a description of the event, see 4658(S): The handle to an
object was closed. in the Audit File System subcategory. This event doesn’t generate in the Audit Handle
Manipulation subcategory, but you can use this subcategory to enable it.
4690(S): An attempt was made to duplicate a handle
to an object.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Handle Manipulation
Event Description:
This event generates if an attempt was made to
duplicate a handle to an object.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4690</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12807</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T00:17:41.755998800Z" />
<EventRecordID>338632</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="1100" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="SourceHandleId">0x438</Data>
<Data Name="SourceProcessId">0x674</Data>
<Data Name="TargetHandleId">0xd9c</Data>
<Data Name="TargetProcessId">0x4</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to duplicate a
handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Source Handle Information:
Source Handle ID [Type = Pointer]: hexadecimal value of a handle which was duplicated. This field can help
you correlate this event with other events, for example “4663: An attempt was made to access an object” in
Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or Audit SAM subcategories.
Source Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Source
Handle ID before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely
identify an active process. To see the PID for a specific process you can, for example, use Task Manager
(Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
New Handle Information:
Target Handle ID [Type = Pointer]: hexadecimal value of the new handle (the copy of Source Handle ID ).
This field can help you correlate this event with other events, for example “4663: An attempt was made to
access an object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or Audit
SAM subcategories.
Target Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Target
Handle ID . Process ID (PID) is a number used by the operating system to uniquely identify an active
process. You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID field.
Applies to
Windows 10
Windows Server 2016
Audit Kernel Object determines whether the operating system generates audit events when users attempt to
access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits
generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options
are enabled.
The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.
Event volume : High.
Events List:
4656(S, F): A handle to an object was requested.
4658(S): The handle to an object was closed.
4660(S): An object was deleted.
4663(S): An attempt was made to access an object.
4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S): An attempt was made to access an
object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was requested.
Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4660(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID . These
access rights depend on Object Type . The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirector y - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE ).
AddFile - For a directory, the right to
create a file in the directory.
H EXA DEC IM A L VA L UE,
A C C ESS SC H EM A VA L UE DESC RIP T IO N
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Deleg ation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create a
computer account.
This privilege is valid only on domain
controllers.
SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.
SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types .
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4658(S): The handle to an object was closed.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object, Audit
Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be closed.
Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
4660(S): An object was deleted.
5/31/2019 • 4 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Kernel Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S): An attempt was made to
access an object” also generates during other
actions, such as object renaming.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID)
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID , such as “4656(S, F): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
4663(S): An attempt was made to access an object.
5/31/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID (PID)
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID . These
access rights depend on Object Type . The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.
H EX VA L UE,
A C C ESS SC H EM A VA L UE DESC RIP T IO N
ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirector y - For a directory, the
right to list the contents of the
directory.
WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE ).
AddFile - For a directory, the right to
create a file in the directory.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name .
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses .
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes .
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses .
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events with
“Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32 or
Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz ” or
“cain.exe ”), check for these substrings in “Process Name .”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
Audit Other Object Access Events
1/2/2020 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and
indirect object access requests.
Event volume : Low.
Events List:
4671(-): An application attempted to access a blocked ordinal through the TBS.
4691(S): Indirect access to an object was requested.
5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets
associated with this attack will be discarded.
5149(F): The DoS attack has subsided and normal processing is being resumed.
4698(S): A scheduled task was created.
4699(S): A scheduled task was deleted.
4700(S): A scheduled task was enabled.
4701(S): A scheduled task was disabled.
4702(S): A scheduled task was updated.
5888(S): An object in the COM+ Catalog was modified.
5889(S): An object was deleted from the COM+ Catalog.
5890(S): An object was added to the COM+ Catalog.
4671(-): An application attempted to access a blocked
ordinal through the TBS.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
Subcategor y: Audit Other Object Access Events
4691(S): Indirect access to an object was requested.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access
Events
Event Description:
This event indicates that indirect access to
an object was requested.
These events are generated for ALPC
Ports access request actions.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4691</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T01:03:49.834912100Z" />
<EventRecordID>344382</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2928" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36509</Data>
<Data Name="ObjectType">ALPC Port</Data>
<Data Name="ObjectName">\\Sessions\\2\\Windows\\DwmApiPort</Data>
<Data Name="AccessList">%%4464</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="ProcessId">0xe60</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested an access to the object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
Object Type [Type = UnicodeString]: The type of an object for which access was requested.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: full path and name of the object for which access was requested.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID .
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID .
These access rights depend on Object Type . “Table 13. File access codes.” contains information about the
most common access rights for file system objects. For information about ALPC ports access rights, use
https://technet.microsoft.com/ or other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about ALPC ports
access rights, use https://technet.microsoft.com/ or other informational resources.
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts
or was detected.
There is no example of this event in this document.
Subcategor y: Audit Other Object Access Events
Event Schema:
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with
this attack will be discarded.
Network Information:
Type:%1
Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
ended.
There is no example of this event in this document.
Subcategor y: Audit Other Object Access Events
Event Schema:
The DoS attack has subsided and normal processing is being resumed.
Network Information:
Type:%1
Packets Discarded:%2
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access Events
Event Description:
This event generates every time a new scheduled task is
created.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" />
<EventRecordID>344740</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “create scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information :
Task Name [Type = UnicodeString]: new scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Librar y ” node:
Task Content [Type = UnicodeString]: the XML content of the new task. For more information about the XML
format for scheduled tasks, see “XML Task Definition Format.”
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring all scheduled task creation events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
Monitor for new tasks located in the Task Scheduler Librar y root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Librar y root node.
In the new task, if the Task Content: XML contains <LogonType>Password</LogonType> value, trigger
an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in
Credential Manager in cleartext format, and can be extracted using Administrative privileges.
4699(S): A scheduled task was deleted.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task was
deleted.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4699</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:13:30.044244500Z" />
<EventRecordID>344827</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\My</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-08-
25T13:56:10.5315552</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>Password</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Windows\\notepad.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information :
Task Name [Type = UnicodeString]: deleted scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Librar y ” node:
Task Content [Type = UnicodeString]: the XML of the deleted task. Here “XML Task Definition Format” you can
read more about the XML format for scheduled tasks.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
We recommend monitoring all scheduled task deletion events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
However, this event does not often happen.
Monitor for deleted tasks located in the Task Scheduler Librar y root node, that is, where Task Name
looks like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the
Task Scheduler Librar y root node. Deletion of such tasks can be a sign of malicious activity.
If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for
4699 events with the corresponding Task Name .
4700(S): A scheduled task was enabled.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
enabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4700</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" />
<EventRecordID>344861</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information :
Task Name [Type = UnicodeString]: enabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Librar y ” node:
Task Content [Type = UnicodeString]: the XML of the enabled task. Here “XML Task Definition Format” you can
read more about the XML format for scheduled tasks.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled,
monitor for 4700 events with the corresponding Task Name .
4701(S): A scheduled task was disabled.
5/31/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
disabled.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4701</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" />
<EventRecordID>344860</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4364" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information :
Task Name [Type = UnicodeString]: disabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Librar y ” node:
Task Content [Type = UnicodeString]: the XML of the disabled task. Here “XML Task Definition Format” you can
read more about the XML format for scheduled tasks.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for 4701
events with the corresponding Task Name .
4702(S): A scheduled task was updated.
5/31/2019 • 3 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access Events
Event Description:
This event generates every time scheduled task was
updated/changed.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" />
<EventRecordID>344863</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="596" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “change/update
scheduled task” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value
of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information :
Task Name [Type = UnicodeString]: updated/changed scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Librar y ” node:
Task New Content [Type = UnicodeString]: the new XML for the updated task. Here “XML Task Definition
Format” you can read more about the XML format for scheduled tasks.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Monitor for updated scheduled tasks located in the Task Scheduler Librar y root node, that is, where Task
Name looks like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located
in the Task Scheduler Librar y root node.
In the updated scheduled task, if the Task Content: XML contains
<LogonType>Password</LogonType> value, trigger an alert. In this case, the password for the account
that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can
be extracted using Administrative privileges.
5888(S): An object in the COM+ Catalog was
modified.
5/31/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access
Events
Event Description:
This event generates when the object in
COM+ Catalog was modified.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5888</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:37:22.400120200Z" />
<EventRecordID>344994</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1352" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ModifiedObjectProperties">Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '<Opaque>' ->
'<Opaque>'</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which the object was
modified. Here is the list of possible collection values with descriptions:
C O L L EC T IO N DESC RIP T IO N
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
C O L L EC T IO N DESC RIP T IO N
UsersInRole Contains an object for each user in the role to which the
collection is related.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the modified
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPar titionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Proper ties Modified [Type = UnicodeString]: the list of object’s (Object Name ) properties which
were modified.
The items have the following format: Property_Name = ‘OLD_VALUE’ -> ‘NEW_VALUE’
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a specific COM+ object for which you need to monitor all modifications, monitor all 5888 events
with the corresponding Object Name .
5889(S): An object was deleted from the COM+
Catalog.
5/31/2019 • 6 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access
Events
Event Description:
This event generates when the object in the
COM+ Catalog was deleted.
For some reason this event belongs to
Audit System Integrity subcategory, but
generation of this event enables in this
subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5889</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:44:42.948569400Z" />
<EventRecordID>344998</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ObjectProperties">Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine =
ServiceName = <null> RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication =
4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y
CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = <Opaque>
ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0
QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile =
DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath =
%systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit
= 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory =
SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable =
1</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which COM+ object was
deleted. Here is the list of possible collection values with descriptions:
C O L L EC T IO N DESC RIP T IO N
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
C O L L EC T IO N DESC RIP T IO N
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
UsersInRole Contains an object for each user in the role to which the
collection is related.
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the deleted
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPar titionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Details [Type = UnicodeString]: the list of deleted object’s (Object Name ) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a specific COM+ object for which you need to monitor all modifications (especially delete
operations), monitor all 5889 events with the corresponding Object Name .
5890(S): An object was added to the COM+ Catalog.
5/31/2019 • 5 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategor y: Audit Other Object Access
Events
Event Description:
This event generates when new object was
added to the COM+ Catalog.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5890</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T19:45:04.239886800Z" />
<EventRecordID>344980</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2856" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Roles</Data>
<Data Name="ObjectIdentifyingProperties">ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name =
CreatorOwner</Data>
<Data Name="ObjectProperties">Description =</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested the “add object” operation.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object :
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection to which the new object
was added. Here is the list of possible collection values with descriptions:
C O L L EC T IO N DESC RIP T IO N
PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.
SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.
TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.
UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
UsersInRole Contains an object for each user in the role to which the
collection is related.
C O L L EC T IO N DESC RIP T IO N
Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the new
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPar titionID - A GUID representing the application partition ID.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Object Details [Type = UnicodeString]: the list of new object’s (Object Name ) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all 5890
events with the corresponding COM+ Catalog Collection field value.
Audit Registry
12/23/2019 • 2 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only
for objects that have system access control lists (SACLs) specified, and only if the type of access requested,
such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a
registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a registry object that has a matching SACL.
Event volume : Low to Medium, depending on how registry SACLs are configured.
Domain IF IF IF IF We strongly
Controller recommend that
you develop a
Registry Objects
Security
Monitoring
policy and define
appropriate
SACLs for
registry objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
registry objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a
Registry Objects
Security
Monitoring
policy for them.
Member Server IF IF IF IF
Workstation IF IF IF IF
Events List:
4663(S): An attempt was made to access an object.
4656(S, F): A handle to an object was requested.
4658(S): The handle to an object was closed.
4660(S): An object was deleted.
4657(S): A registry value was modified.
5039(-): A registry key was virtualized.
4670(S): Permissions on an object were changed.
4663(S): An attempt was made to access an
object.
5/31/2019 • 8 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File
System, Audit Kernel Object,
Audit Registry, and Audit
Removable Storage
Event Description:
This event indicates that a
specific operation was
performed on an object. The
object could be a file system,
kernel, or registry object, or a
file system object on
removable storage or a
device.
This event generates only if
object’s SACL has required
ACE to handle specific access
right use.
The main difference with
“4656: A handle to an object
was requested.” event is that
4663 shows that access right
was used instead of just
requested and 4663 doesn’t have Failure events.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an
object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,
the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can be used
for correlation with other events, for example with Handle ID field in “4656(S, F): A handle to an
object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process
ID (PID) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID .
These access rights depend on Object Type . The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
H EX VA L UE,
A C C ESS SC H EM A VA L UE DESC RIP T IO N
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Security Monitoring Recommendations
For 4663(S): An attempt was made to access an object.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.
Impor tant For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this
event for Object Name .
If you have critical file system objects for which you need to monitor certain access attempts (for
example, write actions), monitor this event for Object Name in relation to Access Request
Information\Accesses .
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes .
If Object Name is a sensitive or critical registry key for which you need to monitor specific access
attempts (for example, only write actions), monitor for all 4663 events with the corresponding Access
Request Information\Accesses .
If you have a pre-defined “Process Name ” for the process reported in this event, monitor all events
with “Process Name ” not equal to your defined value.
You can monitor to see if “Process Name ” is not in a standard folder (for example, not in System32
or Program Files ) or is in a restricted folder (for example, Temporar y Internet Files ).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz ” or “cain.exe ”), check for these substrings in “Process Name .”
For file system objects, we recommend that you monitor for these Access Request
Information\Accesses rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel,
or registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the
operation was performed. To see that the operation was performed, check “4663(S): An attempt was made to
access an object.”
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the SID
in the access token to identify the user in all subsequent interactions with Windows security. When a SID
has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object :
Object Ser ver [Type = UnicodeString]: has “Security ” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types :
Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name . This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that
case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID .
3000: Recourse Property Value .
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID .
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID , such as “4660(S): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-
0000-0000-000000000000}”.
Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID .
These access rights depend on Object Type . The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.
Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For
more information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
P RIVIL EGE N A M E USER RIGH T GRO UP P O L IC Y N A M E DESC RIP T IO N
SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.
SeEnableDelegationPrivilege Enable computer and user accounts Required to mark user and computer
to be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set
the Trusted for Deleg ation setting
on a user or computer object.
The user or object that is granted this
privilege must have write access to
the account control flags on the user
or computer object. A server process
running on a computer (or under a
user context) that is trusted for
delegation can access resources on
another computer using the
delegated credentials of a client, as
long as the account of the client does
not have the Account cannot be
delegated account control flag set.
SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can
change the maximum memory that
can be consumed by a process.
SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.
SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel
mode. This user right does not apply
to Plug and Play device drivers.
SeMachineAccountPrivilege Add workstations to domain With this privilege, the user can create
a computer account.
This privilege is valid only on domain
controllers.
SeShutdownPrivilege Shut down the system Required to shut down a local system.
SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to
read all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.
SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can
change the time and date on the
internal clock of the computer. Users
that are assigned this user right can
affect the appearance of event logs. If
the system time is changed, events
that are logged will reflect this new
time, not the actual time that the
events occurred.
SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same
local resources as that user.
SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's
internal clock.