From 617d5de8721a1770dc4f680f9a89a914c7086b51 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 12:47:35 -0700 Subject: [PATCH 1/5] Update evaluate-exploit-protection.md --- .../evaluate-exploit-protection.md | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index dabee673ee..1946579864 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 10/21/2019 +ms.date: 08/28/2020 ms.reviewer: manager: dansimp --- @@ -22,7 +22,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection. +[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. @@ -72,12 +72,12 @@ Where: |Mitigation | Audit mode cmdlet | |---|---| - |Arbitrary code guard (ACG) | AuditDynamicCode | - |Block low integrity images | AuditImageLoad - |Block untrusted fonts | AuditFont, FontAuditOnly | - |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | - |Disable Win32k system calls | AuditSystemCall | - |Do not allow child processes | AuditChildProcess | + |Arbitrary code guard (ACG) | `AuditDynamicCode` | + |Block low integrity images | `AuditImageLoad` + |Block untrusted fonts | `AuditFont`, `FontAuditOnly` | + |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` | + |Disable Win32k system calls | `AuditSystemCall` | + |Do not allow child processes | `AuditChildProcess` | For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: @@ -100,13 +100,9 @@ To review which apps would have been blocked, open Event Viewer and filter for t |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | -## Related topics +## See also -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) -* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) -* [Enable network protection](enable-network-protection.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Enable attack surface reduction](enable-attack-surface-reduction.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) From d3f280fd0b6f71a26843e12faf97aae7ee744d8b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:01:43 -0700 Subject: [PATCH 2/5] Update exploit-protection.md --- .../exploit-protection.md | 116 +++++++++--------- 1 file changed, 57 insertions(+), 59 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index 49d1fcd691..b330f4798b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -36,10 +36,10 @@ When a mitigation is encountered on the device, a notification will be displayed You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. -Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml). > [!IMPORTANT] -> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. +> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10. > [!WARNING] > Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network. @@ -61,34 +61,34 @@ DeviceEvents You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: -Provider/source | Event ID | Description --|-|- -Security-Mitigations | 1 | ACG audit -Security-Mitigations | 2 | ACG enforce -Security-Mitigations | 3 | Do not allow child processes audit -Security-Mitigations | 4 | Do not allow child processes block -Security-Mitigations | 5 | Block low integrity images audit -Security-Mitigations | 6 | Block low integrity images block -Security-Mitigations | 7 | Block remote images audit -Security-Mitigations | 8 | Block remote images block -Security-Mitigations | 9 | Disable win32k system calls audit -Security-Mitigations | 10 | Disable win32k system calls block -Security-Mitigations | 11 | Code integrity guard audit -Security-Mitigations | 12 | Code integrity guard block -Security-Mitigations | 13 | EAF audit -Security-Mitigations | 14 | EAF enforce -Security-Mitigations | 15 | EAF+ audit -Security-Mitigations | 16 | EAF+ enforce -Security-Mitigations | 17 | IAF audit -Security-Mitigations | 18 | IAF enforce -Security-Mitigations | 19 | ROP StackPivot audit -Security-Mitigations | 20 | ROP StackPivot enforce -Security-Mitigations | 21 | ROP CallerCheck audit -Security-Mitigations | 22 | ROP CallerCheck enforce -Security-Mitigations | 23 | ROP SimExec audit -Security-Mitigations | 24 | ROP SimExec enforce -WER-Diagnostics | 5 | CFG Block -Win32K | 260 | Untrusted Font +|Provider/source | Event ID | Description| +|---|---|---| +|Security-Mitigations | 1 | ACG audit | +|Security-Mitigations | 2 | ACG enforce | +|Security-Mitigations | 3 | Do not allow child processes audit | +|Security-Mitigations | 4 | Do not allow child processes block | +|Security-Mitigations | 5 | Block low integrity images audit | +|Security-Mitigations | 6 | Block low integrity images block | +|Security-Mitigations | 7 | Block remote images audit | +|Security-Mitigations | 8 | Block remote images block | +|Security-Mitigations | 9 | Disable win32k system calls audit | +|Security-Mitigations | 10 | Disable win32k system calls block | +|Security-Mitigations | 11 | Code integrity guard audit | +|Security-Mitigations | 12 | Code integrity guard block | +|Security-Mitigations | 13 | EAF audit | +|Security-Mitigations | 14 | EAF enforce | +|Security-Mitigations | 15 | EAF+ audit | +|Security-Mitigations | 16 | EAF+ enforce | +|Security-Mitigations | 17 | IAF audit | +|Security-Mitigations | 18 | IAF enforce | +|Security-Mitigations | 19 | ROP StackPivot audit | +|Security-Mitigations | 20 | ROP StackPivot enforce | +|Security-Mitigations | 21 | ROP CallerCheck audit | +|Security-Mitigations | 22 | ROP CallerCheck enforce | +|Security-Mitigations | 23 | ROP SimExec audit | +|Security-Mitigations | 24 | ROP SimExec enforce | +|WER-Diagnostics | 5 | CFG Block | +|Win32K | 260 | Untrusted Font | ## Mitigation comparison @@ -96,38 +96,36 @@ The mitigations available in EMET are included natively in Windows 10 (starting The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. -Mitigation | Available under Exploit protection | Available in EMET --|-|- -Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Memory Protection Check" -Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
As "Load Library Check" -Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] -Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)] -Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] +|Mitigation | Available under exploit protection | Available in EMET | +|---|---|---| +|Arbitrary code guard (ACG) | yes | yes
As "Memory Protection Check" | +|Block remote images | yes | yes
As "Load Library Check" | +|Block untrusted fonts | yes | yes | +|Data Execution Prevention (DEP) | yes | yes | +|Export address filtering (EAF) | yes | yes | +|Force randomization for images (Mandatory ASLR) | yes | yes | +|NullPage Security Mitigation | yes
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes | +|Randomize memory allocations (Bottom-Up ASLR) | yes | yes | +|Simulate execution (SimExec) | yes | yes | +|Validate API invocation (CallerCheck) | yes | yes | +|Validate exception chains (SEHOP) | yes | yes | +|Validate stack integrity (StackPivot) | yes | yes | +|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes | +|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes | +|Block low integrity images | yes | no | +|Code integrity guard | yes | no | +|Disable extension points | yes | no | +|Disable Win32k system calls | yes | no | +|Do not allow child processes | yes | no | +|Import address filtering (IAF) | yes | no | +|Validate handle usage | yes | no | +|Validate heap integrity | yes | no | +|Validate image dependency integrity | yes | no | > [!NOTE] -> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. -> -> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. +> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology. -## Related articles +## See also - [Protect devices from exploits](exploit-protection.md) - [Evaluate exploit protection](evaluate-exploit-protection.md) From 14cacc4c14fd7328a18bdc75db93ef3b6d61b1ab Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:03:55 -0700 Subject: [PATCH 3/5] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aaf6321d69..72163a76f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -857,12 +857,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { From 287a6d7ddacab17a7ec8f4e0109a95246bf64328 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:05:16 -0700 Subject: [PATCH 4/5] EMET link fixes --- .../customize-exploit-protection.md | 1 - .../enable-exploit-protection.md | 1 - .../import-export-exploit-protection-emet-xml.md | 10 +++++----- .../troubleshoot-exploit-protection-mitigations.md | 1 - 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 55552af86b..644ad754c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -252,7 +252,6 @@ For more information about customizing the notification when a rule is triggered ## See also * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index c611445181..74c12b3f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -242,7 +242,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender- ## Related topics -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 322278414a..0901c27e53 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -122,9 +122,9 @@ You can use Group Policy to deploy the configuration you've created to multiple 6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy). -## Related topics +## See also -* [Protect devices from exploits](exploit-protection.md) -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Protect devices from exploits](exploit-protection.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md index 24dcaab4dd..05cd741da3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md @@ -196,7 +196,6 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu ## Related topics * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) From b1d90941cf0b8ca760ea220adf1ab7b17dfa40a7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 13:08:16 -0700 Subject: [PATCH 5/5] Update import-export-exploit-protection-emet-xml.md --- .../import-export-exploit-protection-emet-xml.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 0901c27e53..3e4e0b9f14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -64,7 +64,7 @@ When you've configured exploit protection to your desired state (including both Example command: - **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** + `Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml` > [!IMPORTANT] > When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. @@ -88,7 +88,7 @@ After importing, the settings will be instantly applied and can be reviewed in t Example command: - **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** + `Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml` > [!IMPORTANT] > @@ -115,10 +115,10 @@ You can use Group Policy to deploy the configuration you've created to multiple 5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples: - * C:\MitigationSettings\Config.XML - * \\\Server\Share\Config.xml - * https://localhost:8080/Config.xml - * C:\ExploitConfigfile.xml + * `C:\MitigationSettings\Config.XML` + * `\\Server\Share\Config.xml` + * `https://localhost:8080/Config.xml` + * `C:\ExploitConfigfile.xml` 6. Select **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).