From 12b713411d24bb0df9495cf532f6d0010c8d0914 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 13 Apr 2020 15:29:01 -0700 Subject: [PATCH 1/6] Update monitor-the-use-of-removable-storage-devices.md Removable storage note per CSS --- .../monitor-the-use-of-removable-storage-devices.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 18d2e3d8c2..870101a427 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: --- # Monitor the use of removable storage devices @@ -28,7 +28,9 @@ If you configure this policy setting, an audit event is generated each time a us Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. + +> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/en-us/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/en-us/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From 61b0ffb053f509534fa61099a7b8ed8e69b2438d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 13 Apr 2020 15:58:44 -0700 Subject: [PATCH 2/6] Update monitor-the-use-of-removable-storage-devices.md --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 870101a427..1188b932e6 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -30,7 +30,7 @@ Use the following procedures to monitor the use of removable storage devices and Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/en-us/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/en-us/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. +> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From c5b2ef0657b7179036b7464c1d417dbb0b6ac907 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Apr 2020 14:59:38 -0700 Subject: [PATCH 3/6] Update monitor-the-use-of-removable-storage-devices.md fix note style --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 1188b932e6..ee4ffad617 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -30,7 +30,8 @@ Use the following procedures to monitor the use of removable storage devices and Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -> [!NOTE] When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. +> [!NOTE] +> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor. **To configure settings to monitor removable storage devices** From f88df254db72eef46d349f7ba102c925ba8caae1 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 29 Apr 2020 12:13:54 -0700 Subject: [PATCH 4/6] Updates to Pro X --- .../surface/enroll-and-configure-surface-devices-with-semm.md | 2 +- devices/surface/surface-pro-arm-app-management.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 0147596761..80367c8e53 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). > [!NOTE] -> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). #### Download and install Microsoft Surface UEFI Configurator The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index f3d922c048..488eeca1a2 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P | Endpoint Configuration Manager | Yes | Yes | | | Power on When AC Restore | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | -| Surface Dock Firmware Update | Yes | Yes | | +| Surface Dock Firmware Update | Yes | No | | | Asset Tag Utility | Yes | Yes | | | Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | -| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. | +| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. | | Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | From 9d82bfa6dca671e99de8826d753a05048d6fc425 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 14:05:08 -0700 Subject: [PATCH 5/6] Applied [!NOTE] style --- .../monitor-the-use-of-removable-storage-devices.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index ee4ffad617..30ed1af8fc 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -49,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. - >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. + > [!NOTE] + > If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 2. Type **gpupdate /force**, and press ENTER. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. @@ -59,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. - >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. + > [!NOTE] + > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. ### Related resource From 89777310578af1b4a1e59a5fe39606e90a1f512d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 29 Apr 2020 14:17:20 -0700 Subject: [PATCH 6/6] Deleted duplicated text, indent content in a second-level list item --- .../enroll-and-configure-surface-devices-with-semm.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 80367c8e53..fd8f4626e5 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -107,11 +107,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so. 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows: * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate. - * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. + * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. - ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") - - *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* + ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") + + *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.