added images

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/05/2019
+ms.date: 04/22/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -462,15 +462,6 @@ After you've decided where your protected apps can access enterprise data on you
 **To set your optional settings**
 1.	Choose to set any or all of the optional settings:
 
-    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
-    
-        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
-	
-        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
-
-        >[!IMPORTANT]
-        >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below.
-
     - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
 	
         - **Yes (recommended).** Turns on the feature and provides the additional protection.

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -60,7 +60,7 @@ Each ASR rule contains three settings:
 
 For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 
-### Enable ASR rules in Intune
+### Intune
 
 1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
 
@@ -72,11 +72,20 @@ For further details on how audit mode works and when to use it, see [Audit Windo
 
 4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
 
-### Enable ASR rules in SCCM
+### SCCM
 
-For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+   ![Windows Defender Exploit Guard](images/wdeg.png)
+1. Click **Home** > **Create Exploit Guard Policy**.
+   ![Create Exploit Guard Policy](images/create-exploit-guard-policy.md)
+1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+   ![ASR rules](images/sccm-asr-rules.png)
+1. Choose which rules will block or audit actions and click **Next**.
+   ![ASR blocks](images/sccm-asr-blocks.png)
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
 
-### Enable ASR rules with Group Policy
+### Group Policy
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
@@ -97,7 +106,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 
 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### Enable ASR rules with PowerShell
+### PowerShell
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
@@ -148,7 +157,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 	>[!IMPORTANT]
 	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-### Enable ASR rules with MDM CSPs
+### MDM
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable controlled folder access
@@ -24,11 +24,12 @@ ms.date: 03/29/2019
 
 You can enable controlled folder access by using any of the these methods:
 
-- Windows Security app
+- [Windows Security app](#windows-security-app)
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
  Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
@@ -67,6 +68,19 @@ You can enable controlled folder access by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+   ![Windows Defender Exploit Guard](images/wdeg.png)
+1. Click **Home** > **Create Exploit Guard Policy**.
+   ![Create Exploit Guard Policy](images/create-exploit-guard-policy.md)
+1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+   ![CFA](images/sccm-cfa.png)
+1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+   ![CFA block](images/sccm-cfa-block.png)
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable exploit protection
@@ -28,11 +28,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 
 You can enable each mitigation separately by using any of the these methods:
 
-- Windows Security app
+- [Windows Security app](#windows-security-app)
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
 They are configured by default in Windows 10. 
 
@@ -124,6 +125,19 @@ CFG will be enabled for *miles.exe*.
 
 Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+   ![Windows Defender Exploit Guard](images/wdeg.png)
+1. Click **Home** > **Create Exploit Guard Policy**.
+   ![Create Exploit Guard Policy](images/create-exploit-guard-policy.md)
+1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+   ![EP](images/sccm-ep.png)
+1. Browse to the location of the exploit protection XML file and click **Next**.
+   ![ASR blocks](images/sccm-ep-xml.png)
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -231,15 +245,6 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 
-
-
-
-
-
-
-
-
-
 ## Related topics
 
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/01/2019
+ms.date: 04/22/2019
 ---
 
 # Enable network protection
@@ -24,11 +24,11 @@ ms.date: 04/01/2019
 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.  
 You can enable network protection by using any of the these methods:
 
-- Intune 
+- [Microsoft Intune](#intune) 
-- MDM
+- [Mobile Device Management (MDM)](#mdm)
-- Group Policy
+- [System Center Configuration Manager (SCCM)](#sccm)
-- PowerShell cmdlets
+- [Group Policy](#group-policy)
-- Registry
+- [PowerShell](#powershell)
 
 ## Intune
 
@@ -45,9 +45,22 @@ You can enable network protection by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+   ![Windows Defender Exploit Guard](images/wdeg.png)
+1. Click **Home** > **Create Exploit Guard Policy**.
+   ![Create Exploit Guard Policy](images/create-exploit-guard-policy.md)
+1. Enter a name and a description, click **Network protection**, and click **Next**.
+   ![ASR rules](images/sccm-np.png)
+1. Choose whether to block or audit access to suspicious domains and click **Next**.
+   ![ASR blocks](images/sccm-np-block.png)
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy 
 
-You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 
 
 1.  On a standalone computer, click **Start**, type and then click **Edit group policy**.
 
@@ -93,9 +106,6 @@ Set-MpPreference -EnableNetworkProtection AuditMode
 
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
-## 
-
-Network protection can't be turned on using the Windows Security app, but you can enable it by 
 
 ## Related topics