diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 652a24f8e4..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index b310cd06ca..637a86a151 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -156,7 +156,7 @@ This event generates when a logon session is created (on destination machine). I | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | | `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | | `13` | `CachedUnlock` | Workstation logon. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index 9cddee17c5..1c8fc2eacd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -63,10 +63,13 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` + - For **read-only** access, assign users to the security reader role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 8b78df80cd..c34fe0e526 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -51,7 +51,8 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request -``` + +```http GET /api/ips/{ip}/stats ``` @@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats ``` @@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats Here is an example of the response. -``` +```http HTTP/1.1 200 OK Content-type: application/json { diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index ef8a82a89f..05fd5e59e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -94,6 +94,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) The Action center shows the submission information: + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - **Submission time** - Shows when the action was submitted. @@ -118,13 +119,13 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + 1. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + 1. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: - ```Powershell + ```powershell “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` @@ -273,11 +274,14 @@ The details provided can help you investigate if there are indications of a pote If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). + 1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. + 1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. + 1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - ```Powershell + ```powershell Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD @@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi ``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). + 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics