mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 20:33:42 +00:00
final meta update
This commit is contained in:
Iaan D'Souza-Wiltshire
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Reference topics for management and configuration tools
|
||||
|
||||
@ -10,6 +10,9 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
|
||||
---
|
||||
|
||||
# Configure scanning options in Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure the cloud block timeout period
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure end-user interaction with Windows Defender Antivirus
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Prevent or allow users to locally modify Windows Defender AV policy settings
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure and validate network connections for Windows Defender Antivirus
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure the notifications that appear on endpoints
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure behavioral, heuristic, and real-time protection
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Configure Windows Defender Antivirus features
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Customize, initiate, and review the results of Windows Defender AV scans and remediation
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Deploy, manage, and report on Windows Defender Antivirus
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Deploy and enable Windows Defender Antivirus
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Detect and block Potentially Unwanted Applications
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Enable cloud-delivered protection in Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Evaluate Windows Defender Antivirus protection
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage event-based forced updates
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage updates and scans for endpoints that are out of date
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage the schedule for when protection updates should be downloaded and applied
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage the sources for Windows Defender Antivirus protection updates
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage Windows Defender Antivirus updates and apply baselines
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Manage updates for mobile devices and virtual machines (VMs)
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Prevent users from seeing or interacting with the Windows Defender AV user interface
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Report on Windows Defender Antivirus protection
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Review Windows Defender AV scan results
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Specify the cloud-delivered protection level
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Use Group Policy settings to configure and manage Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Use PowerShell cmdlets to configure and manage Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Windows Defender Antivirus in Windows 10 and Windows Server 2016
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Run and review the results of a Windows Defender Offline scan
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: iawilt
|
||||
author: iaanw
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
---
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: iawilt
|
||||
author: iaanw
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: high
|
||||
---
|
||||
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -20,8 +21,7 @@ ms.author: iawilt
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview [!include[Prerelease information](prerelease.md)]
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
|
||||
@ -11,11 +11,22 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
# Use audit mode to evaluate Windows Defender Exploit Guard features
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
|
||||
You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
|
||||
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Customize Attack Surface Reduction
|
||||
@ -19,6 +20,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Customize Attack Surface Reduction
|
||||
@ -19,6 +20,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Customize Attack Surface Reduction
|
||||
@ -19,6 +20,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
# Customize Exploit Protection
|
||||
@ -19,6 +20,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview, build 16232 and later
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -21,6 +22,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -21,6 +22,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -20,6 +21,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
@ -30,8 +33,6 @@ ms.author: iawilt
|
||||
- Windows Defender Security Center app
|
||||
- Group Policy
|
||||
- PowerShell
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -11,11 +11,28 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
# Evaluate Controlled Folder Access
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
|
||||
**Manageability available with**
|
||||
|
||||
- Windows Defender Security Center app
|
||||
- Group Policy
|
||||
- PowerShell
|
||||
|
||||
Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
|
||||
|
||||
|
||||
@ -11,12 +11,30 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
# Evaluate Exploit Protection
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
|
||||
**Manageability available with**
|
||||
|
||||
- Windows Defender Security Center app
|
||||
- Group Policy
|
||||
- PowerShell
|
||||
|
||||
|
||||
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
|
||||
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
# Evaluate Network Protection
|
||||
@ -21,6 +22,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
@ -30,7 +33,7 @@ ms.author: iawilt
|
||||
|
||||
- Group Policy
|
||||
- PowerShell
|
||||
- Configuration service providers for mobile device management
|
||||
|
||||
|
||||
|
||||
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -8,9 +8,12 @@ ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.date: 08/25/2017
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -21,68 +24,92 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
|
||||
|
||||
**Manageability available with**
|
||||
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
|
||||
|
||||
- Group Policy
|
||||
- PowerShell
|
||||
- Configuration service providers for mobile device management
|
||||
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
|
||||
|
||||
## Use custom views to review Windows Defender Exploit Guard features
|
||||
|
||||
You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
|
||||
|
||||
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](#), or you can copy the XML directly from this page.
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](#) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
|
||||
- Controlled Folder Access events custom view: *cfa-events.xml*
|
||||
- Exploit Protection events custom view: *ep-events.xml*
|
||||
- Attack Surface Reduction events custom view: *asr-events.xml*
|
||||
- Network Protection events custom view: *np-events.xml*
|
||||
|
||||
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
|
||||
|
||||
3. On the left panel, under **Actions**, click **Import Custom View...**
|
||||
|
||||
|
||||
|
||||
4. Navigate to where you extracted XML file for the custom view you want and select it.
|
||||
|
||||
4. Click **Open**.
|
||||
|
||||
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
|
||||
|
||||
|
||||
### Copy the XML directly
|
||||
|
||||
|
||||
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
|
||||
|
||||
3. On the left panel, under **Actions**, click **Create Custom View...**
|
||||
|
||||
|
||||
|
||||
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
|
||||
|
||||
5. Paste the XML code for the feature you want to filter events from into the XML section.
|
||||
|
||||
4. Click **OK**. Specify a name for your filter.
|
||||
|
||||
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
|
||||
|
||||
|
||||
|
||||
## ASR
|
||||
|
||||
|
||||
### XML for Attack Surface Reduction events
|
||||
|
||||
```xml
|
||||
<ViewerConfig>
|
||||
<QueryConfig>
|
||||
<QueryParams>
|
||||
<Simple>
|
||||
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
|
||||
<EventId>1121,1122,5007</EventId>
|
||||
<RelativeTimeInfo>0</RelativeTimeInfo>
|
||||
<BySource>False</BySource>
|
||||
</Simple>
|
||||
</QueryParams>
|
||||
<QueryNode>
|
||||
<Name>Attack Surface Reduction view</Name>
|
||||
<QueryList>
|
||||
<QueryList>
|
||||
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
|
||||
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
|
||||
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
|
||||
</Query>
|
||||
</QueryList>
|
||||
</QueryNode>
|
||||
</QueryConfig>
|
||||
</ViewerConfig>
|
||||
</QueryList>
|
||||
```
|
||||
|
||||
## CFA
|
||||
### XML for Controlled Folder Access events
|
||||
|
||||
```xml
|
||||
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>
|
||||
<QueryList>
|
||||
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
|
||||
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
|
||||
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
|
||||
</Query>
|
||||
</QueryList>
|
||||
```
|
||||
|
||||
## EP
|
||||
### XML for Exploit Protection events
|
||||
|
||||
```xml
|
||||
<ViewerConfig>
|
||||
<QueryConfig>
|
||||
<QueryParams>
|
||||
<Simple>
|
||||
<Channel>Microsoft-Windows-Security-Mitigations/KernelMode,Microsoft-Windows-Win32k/Concurrency,Microsoft-Windows-Win32k/Contention,Microsoft-Windows-Win32k/Messages,Microsoft-Windows-Win32k/Operational,Microsoft-Windows-Win32k/Power,Microsoft-Windows-Win32k/Render,Microsoft-Windows-Win32k/Tracing,Microsoft-Windows-Win32k/UIPI,System,Microsoft-Windows-Security-Mitigations/UserMode</Channel>
|
||||
<EventId>1-24, 5, 260</EventId>
|
||||
<Source>Microsoft-Windows-Security-Mitigations,Microsoft-Windows-WER-Diag,Microsoft-Windows-Win32k,Win32k</Source>
|
||||
<RelativeTimeInfo>0</RelativeTimeInfo>
|
||||
<BySource>True</BySource>
|
||||
</Simple>
|
||||
</QueryParams>
|
||||
<QueryNode>
|
||||
<Name>Exploit protection view</Name>
|
||||
<QueryList>
|
||||
<QueryList>
|
||||
<Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
|
||||
<Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
|
||||
<Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
|
||||
@ -96,63 +123,62 @@ ms.author: iawilt
|
||||
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
|
||||
<Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
|
||||
</Query>
|
||||
</QueryList>
|
||||
</QueryNode>
|
||||
</QueryConfig>
|
||||
<ResultsConfig>
|
||||
<Columns>
|
||||
<Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">255</Column>
|
||||
<Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
|
||||
<Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">305</Column>
|
||||
<Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">215</Column>
|
||||
<Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">215</Column>
|
||||
<Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">215</Column>
|
||||
<Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
|
||||
<Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
|
||||
<Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
|
||||
<Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
|
||||
<Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
|
||||
<Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
|
||||
<Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
|
||||
<Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
|
||||
<Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
|
||||
<Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
|
||||
<Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
|
||||
<Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
|
||||
<Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
|
||||
<Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
|
||||
</Columns>
|
||||
</ResultsConfig>
|
||||
</ViewerConfig>
|
||||
</QueryList>
|
||||
```
|
||||
|
||||
## NP
|
||||
### XML for Network Protection events
|
||||
|
||||
```xml
|
||||
<ViewerConfig>
|
||||
<QueryConfig>
|
||||
<QueryParams>
|
||||
<Simple>
|
||||
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
|
||||
<EventId>1125,1126,5007</EventId>
|
||||
<RelativeTimeInfo>0</RelativeTimeInfo>
|
||||
<BySource>False</BySource>
|
||||
</Simple>
|
||||
</QueryParams>
|
||||
<QueryNode>
|
||||
<Name>Network Protection view</Name>
|
||||
<QueryList>
|
||||
<QueryList>
|
||||
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
|
||||
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
|
||||
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
|
||||
</Query>
|
||||
</QueryList>
|
||||
</QueryNode>
|
||||
</QueryConfig>
|
||||
</ViewerConfig>
|
||||
</QueryList>
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
## List of all Windows Defender Exploit Guard events
|
||||
|
||||
|
||||
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
|
||||
|
||||
Feature | Provider/source | Event ID | Description
|
||||
-|-|:-:|-
|
||||
Exploit Protection | Security-Mitigations | 1 | ACG audit
|
||||
Exploit Protection | Security-Mitigations | 2 | ACG enforce
|
||||
Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
|
||||
Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
|
||||
Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
|
||||
Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
|
||||
Exploit Protection | Security-Mitigations | 7 | Block remote images audit
|
||||
Exploit Protection | Security-Mitigations | 8 | Block remote images block
|
||||
Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
|
||||
Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
|
||||
Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
|
||||
Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
|
||||
Exploit Protection | Security-Mitigations | 13 | EAF audit
|
||||
Exploit Protection | Security-Mitigations | 14 | EAF enforce
|
||||
Exploit Protection | Security-Mitigations | 15 | EAF+ audit
|
||||
Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
|
||||
Exploit Protection | Security-Mitigations | 17 | IAF audit
|
||||
Exploit Protection | Security-Mitigations | 18 | IAF enforce
|
||||
Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
|
||||
Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
|
||||
Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
|
||||
Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
|
||||
Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
|
||||
Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
|
||||
Exploit Protection | WER-Diagnostics | 5 | CFG Block
|
||||
Exploit Protection | Win32K | 260 | Untrusted Font
|
||||
Network Protection | Windows Defender | 5007 | Event when settings are changed
|
||||
Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode
|
||||
Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode
|
||||
Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
|
||||
Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
|
||||
Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
|
||||
Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
|
||||
Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode
|
||||
Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode
|
||||
@ -10,6 +10,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -21,6 +22,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 72 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.6 MiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.6 MiB |
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date:08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -21,6 +22,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -1 +1,2 @@
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
> [!IMPORTANT]
|
||||
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
@ -11,6 +11,7 @@ ms.pagetype: security
|
||||
localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
@ -22,6 +23,8 @@ ms.author: iawilt
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
|
||||
@ -10,6 +10,8 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: iaanw
|
||||
ms.author: iawilt
|
||||
ms.date: 08/25/2017
|
||||
---
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user