mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 12:23:37 +00:00
fixing image links
This commit is contained in:
martyav
@ -78,7 +78,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona
|
|||||||
|
|
||||||
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
|
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
|
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
|
||||||
@ -109,7 +109,7 @@ An allowed application or service only has write access to a controlled folder a
|
|||||||
|
|
||||||
4. Click **Add an allowed app** and follow the prompts to add apps.
|
4. Click **Add an allowed app** and follow the prompts to add apps.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Use Group Policy to allow specific apps
|
### Use Group Policy to allow specific apps
|
||||||
|
|
||||||
@ -138,7 +138,7 @@ An allowed application or service only has write access to a controlled folder a
|
|||||||
|
|
||||||
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
|
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
|
> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
|
||||||
|
|||||||
@ -48,27 +48,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
|
|||||||
|
|
||||||
Mitigation | Description | Can be applied to | Audit mode available
|
Mitigation | Description | Can be applied to | Audit mode available
|
||||||
-|-|-|-
|
-|-|-|-
|
||||||
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
|
> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
|
||||||
@ -76,10 +76,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
|
|||||||
>
|
>
|
||||||
> Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
> Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
||||||
> -|-|-
|
> -|-|-
|
||||||
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
|
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
|
||||||
> [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
|
> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
|
||||||
> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
|
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
|
||||||
> [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
||||||
>
|
>
|
||||||
>
|
>
|
||||||
>
|
>
|
||||||
|
|||||||
@ -49,29 +49,29 @@ The table in this section indicates the availability and support of native mitig
|
|||||||
|
|
||||||
Mitigation | Available in Windows Defender | Available in EMET
|
Mitigation | Available in Windows Defender | Available in EMET
|
||||||
-|-|-
|
-|-|-
|
||||||
Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
|
Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
|
||||||
Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
|
Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
|
||||||
Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
|
NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
|
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
|
||||||
|
|||||||
@ -127,7 +127,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
|
|||||||
* Block (enable ASR rule) = 1
|
* Block (enable ASR rule) = 1
|
||||||
* Audit = 2
|
* Audit = 2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
|
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
|
||||||
|
|
||||||
|
|||||||
@ -60,11 +60,11 @@ For more information about disabling local list merging, see [Prevent or allow u
|
|||||||
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
||||||
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||||
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||||
|
|
||||||
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
|
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
|
||||||
1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
|
1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
|
> Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
|
||||||
@ -100,7 +100,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
|
|||||||
* **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
|
* **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
|
||||||
* **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
* **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
|
||||||
|
|||||||
@ -73,10 +73,10 @@ If you add an app to the **Program settings** section and configure individual m
|
|||||||
|
|
||||||
Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
||||||
-|-|-
|
-|-|-
|
||||||
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
|
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
|
||||||
[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
|
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
|
||||||
[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
|
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
|
||||||
[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
||||||
|
|
||||||
**Example 1**
|
**Example 1**
|
||||||
|
|
||||||
@ -117,10 +117,10 @@ CFG will be enabled for *miles.exe*.
|
|||||||
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
||||||
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||||
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||||
|
|
||||||
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
||||||
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
|
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
|
||||||
|
|
||||||
1. Click **OK** to save each open blade and click **Create**.
|
1. Click **OK** to save each open blade and click **Create**.
|
||||||
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
||||||
|
|
||||||
|
|||||||
@ -61,7 +61,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
|
|||||||
3. Double-click **Turn on Virtualization Based Security**.
|
3. Double-click **Turn on Virtualization Based Security**.
|
||||||
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
|
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Click **Ok** to close the editor.
|
5. Click **Ok** to close the editor.
|
||||||
|
|
||||||
@ -191,16 +191,16 @@ The output of this command provides details of the available hardware-based secu
|
|||||||
|
|
||||||
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
|
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
|
||||||
|
|
||||||
| Value | Description |
|
Value | Description
|
||||||
|--------|-------------|
|
-|-
|
||||||
| **0.** | If present, no relevant properties exist on the device. |
|
**0.** | If present, no relevant properties exist on the device.
|
||||||
| **1.** | If present, hypervisor support is available. |
|
**1.** | If present, hypervisor support is available.
|
||||||
| **2.** | If present, Secure Boot is available. |
|
**2.** | If present, Secure Boot is available.
|
||||||
| **3.** | If present, DMA protection is available. |
|
**3.** | If present, DMA protection is available.
|
||||||
| **4.** | If present, Secure Memory Overwrite is available. |
|
**4.** | If present, Secure Memory Overwrite is available.
|
||||||
| **5.** | If present, NX protections are available. |
|
**5.** | If present, NX protections are available.
|
||||||
| **6.** | If present, SMM mitigations are available. |
|
**6.** | If present, SMM mitigations are available.
|
||||||
| **7.** | If present, Mode Based Execution Control is available. |
|
**7.** | If present, Mode Based Execution Control is available.
|
||||||
|
|
||||||
|
|
||||||
#### InstanceIdentifier
|
#### InstanceIdentifier
|
||||||
@ -211,38 +211,38 @@ A string that is unique to a particular device. Valid values are determined by W
|
|||||||
|
|
||||||
This field describes the required security properties to enable virtualization-based security.
|
This field describes the required security properties to enable virtualization-based security.
|
||||||
|
|
||||||
| Value | Description |
|
Value | Description
|
||||||
|--------|-------------|
|
-|-
|
||||||
| **0.** | Nothing is required. |
|
**0.** | Nothing is required.
|
||||||
| **1.** | If present, hypervisor support is needed. |
|
**1.** | If present, hypervisor support is needed.
|
||||||
| **2.** | If present, Secure Boot is needed. |
|
**2.** | If present, Secure Boot is needed.
|
||||||
| **3.** | If present, DMA protection is needed. |
|
**3.** | If present, DMA protection is needed.
|
||||||
| **4.** | If present, Secure Memory Overwrite is needed. |
|
**4.** | If present, Secure Memory Overwrite is needed.
|
||||||
| **5.** | If present, NX protections are needed. |
|
**5.** | If present, NX protections are needed.
|
||||||
| **6.** | If present, SMM mitigations are needed. |
|
**6.** | If present, SMM mitigations are needed.
|
||||||
| **7.** | If present, Mode Based Execution Control is needed. |
|
**7.** | If present, Mode Based Execution Control is needed.
|
||||||
|
|
||||||
#### SecurityServicesConfigured
|
#### SecurityServicesConfigured
|
||||||
|
|
||||||
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
|
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
|
||||||
|
|
||||||
| Value | Description |
|
Value | Description
|
||||||
|--------|-------------|
|
-|-
|
||||||
| **0.** | No services configured. |
|
**0.** | No services configured.
|
||||||
| **1.** | If present, Windows Defender Credential Guard is configured. |
|
**1.** | If present, Windows Defender Credential Guard is configured.
|
||||||
| **2.** | If present, HVCI is configured. |
|
**2.** | If present, HVCI is configured.
|
||||||
| **3.** | If present, System Guard Secure Launch is configured. |
|
**3.** | If present, System Guard Secure Launch is configured.
|
||||||
|
|
||||||
#### SecurityServicesRunning
|
#### SecurityServicesRunning
|
||||||
|
|
||||||
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
|
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
|
||||||
|
|
||||||
| Value | Description |
|
Value | Description
|
||||||
|--------|-------------|
|
-|-
|
||||||
| **0.** | No services running. |
|
**0.** | No services running.
|
||||||
| **1.** | If present, Windows Defender Credential Guard is running. |
|
**1.** | If present, Windows Defender Credential Guard is running.
|
||||||
| **2.** | If present, HVCI is running. |
|
**2.** | If present, HVCI is running.
|
||||||
| **3.** | If present, System Guard Secure Launch is running. |
|
**3.** | If present, System Guard Secure Launch is running.
|
||||||
|
|
||||||
#### Version
|
#### Version
|
||||||
|
|
||||||
@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
|
|||||||
|
|
||||||
This field indicates whether VBS is enabled and running.
|
This field indicates whether VBS is enabled and running.
|
||||||
|
|
||||||
| Value | Description |
|
Value | Description
|
||||||
|--------|-------------|
|
-|-
|
||||||
| **0.** | VBS is not enabled. |
|
**0.** | VBS is not enabled.
|
||||||
| **1.** | VBS is enabled but not running. |
|
**1.** | VBS is enabled but not running.
|
||||||
| **2.** | VBS is enabled and running. |
|
**2.** | VBS is enabled and running.
|
||||||
|
|
||||||
|
|
||||||
#### PSComputerName
|
#### PSComputerName
|
||||||
|
|
||||||
@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
|
|||||||
|
|
||||||
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
|
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
|
|||||||
@ -51,7 +51,7 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
|
|||||||
|
|
||||||
The network connection will be allowed and a test message will be displayed.
|
The network connection will be allowed and a test message will be displayed.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Review network protection events in Windows Event Viewer
|
## Review network protection events in Windows Event Viewer
|
||||||
|
|
||||||
|
|||||||
@ -50,33 +50,31 @@ You can also manually navigate to the event area that corresponds to the feature
|
|||||||
|
|
||||||
1. Type **event viewer** in the Start menu and open **Event Viewer**.
|
1. Type **event viewer** in the Start menu and open **Event Viewer**.
|
||||||
|
|
||||||
3. Click **Action** > **Import Custom View...**
|
1. Click **Action** > **Import Custom View...**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Navigate to where you extracted XML file for the custom view you want and select it.
|
1. Navigate to where you extracted XML file for the custom view you want and select it.
|
||||||
|
|
||||||
4. Click **Open**.
|
1. Click **Open**.
|
||||||
|
|
||||||
5. This will create a custom view that filters to only show the events related to that feature.
|
|
||||||
|
|
||||||
|
1. This will create a custom view that filters to only show the events related to that feature.
|
||||||
|
|
||||||
### Copy the XML directly
|
### Copy the XML directly
|
||||||
|
|
||||||
|
|
||||||
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
|
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
|
||||||
|
|
||||||
3. On the left panel, under **Actions**, click **Create Custom View...**
|
1. On the left panel, under **Actions**, click **Create Custom View...**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
|
1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
|
||||||
|
|
||||||
5. Paste the XML code for the feature you want to filter events from into the XML section.
|
1. Paste the XML code for the feature you want to filter events from into the XML section.
|
||||||
|
|
||||||
4. Click **OK**. Specify a name for your filter.
|
1. Click **OK**. Specify a name for your filter.
|
||||||
|
|
||||||
5. This will create a custom view that filters to only show the events related to that feature.
|
1. This will create a custom view that filters to only show the events related to that feature.
|
||||||
|
|
||||||
### XML for attack surface reduction rule events
|
### XML for attack surface reduction rule events
|
||||||
|
|
||||||
@ -133,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature
|
|||||||
|
|
||||||
## List of attack surface reduction events
|
## List of attack surface reduction events
|
||||||
|
|
||||||
|
|
||||||
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
|
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
|
||||||
|
|
||||||
You can access these events in Windows Event viewer:
|
You can access these events in Windows Event viewer:
|
||||||
@ -142,7 +139,7 @@ You can access these events in Windows Event viewer:
|
|||||||
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
|
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
|
||||||
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
|
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Feature | Provider/source | Event ID | Description
|
Feature | Provider/source | Event ID | Description
|
||||||
:-|:-|:-:|:-
|
:-|:-|:-:|:-
|
||||||
|
|||||||
@ -98,29 +98,29 @@ The table in this section indicates the availability and support of native mitig
|
|||||||
|
|
||||||
Mitigation | Available under Exploit protection | Available in EMET
|
Mitigation | Available under Exploit protection | Available in EMET
|
||||||
-|-|-
|
-|-|-
|
||||||
Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
|
Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />As "Memory Protection Check"
|
||||||
Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
|
Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]<br/>As "Load Library Check"
|
||||||
Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
|
NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
|
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
|
||||||
Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
|
Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
|
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
|
||||||
|
|||||||
@ -49,11 +49,11 @@ When you have configured exploit protection to your desired state (including bot
|
|||||||
|
|
||||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
|
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
|
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
|
> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
|
||||||
@ -144,7 +144,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
|
|||||||
|
|
||||||
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
|
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user