Merge pull request #2648 from MicrosoftDocs/master

Publish 4/29/2020 3:32 PM PST

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage
 A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
 
 > [!NOTE]
-> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
+> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
 
 #### Download and install Microsoft Surface UEFI Configurator
 The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
@@ -107,11 +107,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
    * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
-   * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
+   * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
 
-   ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
-  
-   *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
+      ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
+
+      *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
 
    * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
    

devices/surface/surface-pro-arm-app-management.md

@@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P
 | Endpoint Configuration Manager                                          | Yes               | Yes           |                                                                                       |
 | Power on When AC Restore                      | Yes                 | Yes           |                                                                                   |
 | Surface Diagnostic Toolkit (SDT) for Business | Yes                 | Yes           |                                                                                   |
-| Surface Dock Firmware Update                  | Yes                 | Yes           |                                                                                   |
+| Surface Dock Firmware Update                  | Yes                 | No           |                                                                                   |
 | Asset Tag Utility                             | Yes                 | Yes           |                                                                                   |
 | Surface Enterprise management Mode (SEMM)     | Yes | Partial       | No option to disable hardware on Surface Pro X at the firmware level.                 |
-| Surface UEFI Configurator                     | Yes |               | No option to disable hardware. on Surface Pro X at the firmware level.                |
+| Surface UEFI Configurator                     | Yes |   No            | No option to disable hardware. on Surface Pro X at the firmware level.                |
 | Surface UEFI Manager                          | Yes | Partial       | No option to disable hardware on Surface Pro X at the firmware level.                 |
 
 

windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date:
 ---
 
 # Monitor the use of removable storage devices
@@ -28,7 +28,10 @@ If you configure this policy setting, an audit event is generated each time a us
 
 Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
 
->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+
+> [!NOTE] 
+> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
  
 **To configure settings to monitor removable storage devices**
 
@@ -46,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f
 
 1.  Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
 
-    >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+    > [!NOTE]
+    > If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
      
 2.  Type **gpupdate /force**, and press ENTER.
 3.  Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
@@ -56,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f
 
     Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
 
-    >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
+    > [!NOTE]
+    > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
      
 ### Related resource