Merge pull request #4502 from MicrosoftDocs/master

Publish 1/5/2021 10:30 AM PT
2025-06-27 16:23:36 +00:00 · 2021-01-05 10:41:27 -08:00
parent ba863f2d84 3b6eebf618
commit d60144a6b4
5 changed files with 21 additions and 8 deletions
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic
 > [!NOTE]
 > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

+> [!NOTE] 
+> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern 
+> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
+
 Sample value for this node to enable this policy is:

 ```xml
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@ -156,7 +156,7 @@ This event generates when a logon session is created (on destination machine). I
 |  `9`       | `NewCredentials`    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.                                                                                                                 |
 | `10`       | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop.                                                                                                                                                                                                                                      |
 | `11`       | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.                                                                                                                                                    |
-| `12`       | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing.                                                                                                                                                                                                                                                        |
+| `12`       | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing.                                                                                                                                                                                                                                                        |
 | `13`       | `CachedUnlock` | Workstation logon.                                                                                                                                                                                                                                                                                                             |

 -   **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@ -63,10 +63,13 @@ Assigning read-only access rights requires adding the users to the "Security Rea
 Use the following steps to assign security roles:

 - For **read and write** access, assign users to the security administrator role by using the following command:
+
  ```PowerShell
  Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
  ```
+  
 - For **read-only** access, assign users to the security reader role by using the following command:
+
  ```PowerShell
  Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
  ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@ -51,7 +51,8 @@ Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
 >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

 ## HTTP request
-```
+
+```http
 GET /api/ips/{ip}/stats
 ```

@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no

 Here is an example of the request.

-```
+```http
 GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
 ```

@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
 Here is an example of the response.


-```
+```http
 HTTP/1.1 200 OK
 Content-type: application/json
 {
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@ -94,6 +94,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
   ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png)

   The Action center shows the submission information:
+   
   ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)

   - **Submission time** - Shows when the action was submitted.
@ -118,13 +119,13 @@ You can roll back and remove a file from quarantine if you’ve determined that

 1. Open an elevated command–line prompt on the device:

-   a. Go to **Start** and type _cmd_.
+   1. Go to **Start** and type _cmd_.

-   b. Right–click **Command prompt** and select **Run as administrator**.
+   1. Right–click **Command prompt** and select **Run as administrator**.

 2. Enter the following command, and press **Enter**:

-   ```Powershell
+   ```powershell
   “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
   ```

@ -273,11 +274,14 @@ The details provided can help you investigate if there are indications of a pote
 If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.

 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
+
 1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
+
 1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
+
 1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:

-    ```Powershell
+    ```powershell
    Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
    Name: AllowSampleCollection
    Type: DWORD
@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
    ```

 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
+
 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).

 ## Related topics