deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into wip-mdm-update

Browse Source
This commit is contained in:
Justin Hall 2019-04-29 15:21:21 -07:00 committed by GitHub
commit 418b10b98c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 04/26/2019 ms.date: 04/29/2019
--- ---
# Enable block at first sight # Enable block at first sight
@ -77,7 +77,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
- **Advanced** - **Advanced**
- **Cloud Protection Service** - **Cloud Protection Service**
1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. 1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable real-time protection](images/defender/wdav-protection-settings-wdsc.png) ![Enable real-time protection](images/defender/sccm-real-time-protection.png)
1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. 1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable Advanced settings](images/defender/sccm-advanced-settings.png) ![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. 1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.

57
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 04/26/2019 ms.date: 04/29/2019
--- ---
# Enable attack surface reduction rules # Enable attack surface reduction rules
@ -65,10 +65,37 @@ The following procedures for enabling ASR rules include instructions for how to
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: 3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
*C:\folder*, *%ProgramFiles%\folder\file*, *path* *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
## MDM
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
>[!NOTE]
>Be sure to enter OMA-URI values without spaces.
## SCCM ## SCCM
1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
@ -150,32 +177,6 @@ The following procedures for enabling ASR rules include instructions for how to
>[!IMPORTANT] >[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
## MDM
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
- Disable = 0
- Block (enable ASR rule) = 1
- Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe
>[!NOTE]
>Be sure to enter OMA-URI values without spaces.
## Related topics ## Related topics

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 04/22/2019 ms.date: 04/29/2019
--- ---
# Enable controlled folder access # Enable controlled folder access
@ -75,6 +75,8 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
1. Click **Home** > **Create Exploit Guard Policy**. 1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Controlled folder access**, and click **Next**. 1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. 1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
>[!NOTE]
>Wilcard is supported for applications, but not for folders. Subfolders are not protected.
1. Review the settings and click **Next** to create the policy. 1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**. 1. After the policy is created, click **Close**.