Merge branch 'master' into public

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/22/2019
+ms.date: 04/26/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -480,6 +480,8 @@ After you've decided where your protected apps can access enterprise data on you
         
         - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
 
+    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip).
+
 2. After you pick all of the settings you want to include, click **Summary**.
 
 ## Review your configuration choices in the Summary screen

windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 04/26/2019
 ---
 
 # Enable block at first sight
@@ -68,6 +68,23 @@ For more information about configuring Windows Defender Antivirus device restric
 
 For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus).
 
+### Enable block at first sight with SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. Click **Home** > **Create Antimalware Policy**.
+1. Enter a name and a description, and add these settings:
+   - **Real time protection**
+   - **Advanced**
+   - **Cloud Protection Service**
+1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   ![Enable real-time protection](images/defender/wdav-protection-settings-wdsc.png)
+1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
+   ![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
+1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
+   ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
+1. Click **OK** to create the policy.
+
+
 ### Confirm block at first sight is enabled with Group Policy
 
 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 12/19/2018
+ms.date: 04/26/2019
 ---
 
 # Customize attack surface reduction rules
@@ -35,7 +35,7 @@ This could potentially allow unsafe files to run and infect your devices.
 >[!WARNING]
 >Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 > 
->If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -11,14 +11,31 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
+ms.date: 04/26/2019
 ---
 
 # Enable attack surface reduction rules
 
 [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
+Each ASR rule contains three settings:
+
+* Not configured: Disable the ASR rule
+* Block: Enable the ASR rule
+* Audit: Evaluate how the ASR rule would impact your organization if enabled
+
 To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 
+You can enable attack surface reduction rules by using any of the these methods:
+
+- [Microsoft Intune](#intune) 
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
+
+Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
+
 ## Exclude files and folders from ASR rules
 
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
@@ -26,7 +43,7 @@ You can exclude files and folders from being evaluated by most attack surface re
 >[!WARNING]
 >Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
 > 
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 
 >[!IMPORTANT]
 >File and folder exclusions do not apply to the following ASR rules:
@@ -36,31 +53,11 @@ You can exclude files and folders from being evaluated by most attack surface re
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
 
->[!IMPORTANT] 
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. 
-
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
 
-## Enable and audit attack surface reduction rules
+## Intune
-
-It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
-
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
-
-For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
-
-Each ASR rule contains three settings:
-
-* Not configured: Disable the ASR rule
-* Block: Enable the ASR rule
-* Audit: Evaluate how the ASR rule would impact your organization if enabled
-
-For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
-
-### Intune
 
 1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
@@ -72,7 +69,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 
 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
-### SCCM
+## SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
 1. Click **Home** > **Create Exploit Guard Policy**.
@@ -81,7 +78,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 1. Review the settings and click **Next** to create the policy.
 1. After the policy is created, click **Close**. 
 
-### Group Policy
+## Group Policy
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
@@ -102,7 +99,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 
 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### PowerShell
+## PowerShell
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
@@ -153,7 +150,7 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 	>[!IMPORTANT]
 	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-### MDM
+## MDM
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.