From 0e4ce05d012416e2daf174d4cb461397a1f956b8 Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 6 Nov 2020 15:18:45 +0100
Subject: [PATCH] Update enable-exploit-protection.md

Audit of mitigations is not always available via PS but is with other management options
---
 .../enable-exploit-protection.md                   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 2d44c8da7d..373ad6ff74 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -210,7 +210,7 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
 This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
 
 Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
-- | - | - | -
+-|-|-|-
 Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
 Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
 Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available
@@ -225,20 +225,20 @@ Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreS
 Disable extension points | App-level only |   ExtensionPoint  | Audit not available
 Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
 Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available
-Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available
-Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available
-Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available
+Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a>
+Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available<a href="#r2" id="t2">\[2\]</a>
+Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available<a href="#r2" id="t2">\[2\]</a>
+Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available<a href="#r2" id="t2">\[2\]</a>
 Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
-Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
+Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available<a href="#r2" id="t2">\[2\]</a>
 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
 
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
-
+<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell CmdLet.
 ## Customize the notification
 
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.