From 6a10d9c4aadc7f0405928478abc7e357cc16effc Mon Sep 17 00:00:00 2001 From: Hiroyuki Ito <102932563+hirit1@users.noreply.github.com> Date: Fri, 8 Apr 2022 18:19:52 +0900 Subject: [PATCH 1/3] does not exist the policy I would like to delete it because it is a description of a policy that does not exist. --- .../wdsc-device-security.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index 547b17ac29..4a34381192 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -78,17 +78,3 @@ If you don't want users to see the recommendation to update TPM firmware, you ca 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). -## Disable Memory integrity switch -If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch. -> [!IMPORTANT] -> You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. - -1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. - -2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**. - -3. Expand the tree to **Windows components** > **Windows Security** > **Device security**. - -4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Select **OK**. - -5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). From 28ec7f0381a5ae4fd12082700c57b42eab4c1745 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 8 Apr 2022 15:08:53 +0530 Subject: [PATCH 2/3] changes as per 5916892 --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index ac76e18a1a..2e7159f3d2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -56,9 +56,14 @@ After you configure the settings to monitor removable storage devices, use the f 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**. + + For more information, see [Audit Removable Storage](audit-removable-storage.md) Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. + > [!NOTE] + > Even after configuring settings to monitor removable storage devices, some versions of Windows 10 may require registry key **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotPlugSecureOpen** to be set to **1** to start logging the removable storage audit events. + > [!NOTE] > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. From 79224a7e657d3482503873a64fb37694035c90a1 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Wed, 20 Apr 2022 11:52:43 -0600 Subject: [PATCH 3/3] Update windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 2e7159f3d2..42a29f7d54 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -57,7 +57,7 @@ After you configure the settings to monitor removable storage devices, use the f 5. Expand **Windows Logs**, and then click **Security**. 6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**. - For more information, see [Audit Removable Storage](audit-removable-storage.md) + For more information, see [Audit Removable Storage](audit-removable-storage.md). Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.