6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows 11 operating system

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.1.1: In Windows, audit settings associated with group SID strings are ignored by the client.

<2> Section 2.2.1.2: In Windows, this subcategory also audits the following events:

  • Startup and shutdown of the Windows Firewall.

  • Security policy processing by the Windows Firewall.

<3> Section 2.2.1.2:  User/Device Claims audit subcategory is not implemented in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<4> Section 2.2.1.2:  PNP Activity is not implemented in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<5> Section 2.2.1.2:  Group Membership is not implemented in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<6> Section 2.2.1.3.2: If any subcategory in the Per-User Advanced Audit Policy section is defined for a given user or group in Windows, the value Include Failure (0x4) is used as default for all the rest of the audit subcategories that are not defined for that user after all the applicable policies are processed. The Include Failure setting will cause a Failure Audit to be generated even if not specified by the system advanced audit policy.

<7> Section 3.2.5: In Windows 7 and Windows Server 2008 R2, individual Audit ACEs from different GPOs are not merged into a single SACL; instead the final value of the FileGlobalSacl, as well as the RegistryGlobalSacl ADM variables, come from the GPO with the highest precedence (as described in [MS-GPOL]) where the setting is defined.

<8> Section 5.2.1: In Windows, the value of MaxNoGPOListChangesInterval is 0x3c0 (960 minutes) for the advanced audit policy client-side extension.