diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index ab42d2eb12..fa3402a679 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 11/03/2020
+ms.date: 01/21/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -146,7 +146,7 @@ There is a known issue such that if you change the Exploit Protection settings f
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**.
+1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
2. Disable IpNat.sys from ICS load as follows:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
@@ -159,6 +159,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
5. Reboot the device.
+### Why doesn't the container fully load when device control policies are enabled?
+Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly.
+
+Policy: Allow installation of devices that match any of these device IDs
+- `SCSI\DiskMsft____Virtual_Disk____`
+- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
+- `VMS_VSF`
+- `root\Vpcivsp`
+- `root\VMBus`
+- `vms_mp`
+- `VMS_VSP`
+- `ROOT\VKRNLINTVSP`
+- `ROOT\VID`
+- `root\storvsp`
+- `vms_vsmp`
+- `VMS_PP`
+
+Policy: Allow installation of devices using drivers that match these device setup classes
+- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+
+
+
## See also
-[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
\ No newline at end of file
+[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index c0c77ae782..cf10e80626 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -14,7 +14,7 @@ ms.author: deniseb
ms.reviewer: sugamar, jcedola
manager: dansimp
ms.custom: asr
-ms.date: 01/08/2021
+ms.date: 01/20/2021
---
# Use attack surface reduction rules to prevent malware infection
@@ -24,7 +24,7 @@ ms.date: 01/08/2021
**Applies to:**
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Why attack surface reduction rules are important
@@ -63,8 +63,10 @@ Warn mode helps your organization have attack surface reduction rules in place w
Warn mode is supported on devices running the following versions of Windows:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
+
+Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
-In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed
+In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
- Minimum platform release requirement: `4.18.2008.9`
- Minimum engine release requirement: `1.1.17400.5`
@@ -124,13 +126,9 @@ DeviceEvents
You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-
2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
-
3. Under **Actions**, select **Import custom view...**.
-
4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
-
5. Select **OK**.
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
@@ -463,9 +461,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
## See also
- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
-
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 91a6dc887a..2ff87af1ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -46,13 +46,13 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
## Windows Security app
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**.
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**.
- - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**.
+ - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
@@ -60,12 +60,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -80,7 +80,7 @@ If you add an app to the **Program settings** section and configure individual m
Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied.
### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
@@ -88,66 +88,84 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
+The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
+2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**.
- - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**.
+ - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
+2. Go to **Device configuration** > **Profiles** > **Create profile**.
+
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
+4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
-6. Click **OK** to save each open blade and click **Create**.
+ 
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Select **OK** to save each open blade, and then choose **Create**.
+
+7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**.
## MDM
Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
+## Microsoft Endpoint Manager
+
+1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**.
+
+2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**.
+
+3. Specify a name and a description, and then choose **Next**.
+
+4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**.
+
+5. Configure **Scope tags** and **Assignments** if necessary.
+
+6. Under **Review + create**, review the configuration and then choose **Create**.
+
+
## Microsoft Endpoint Configuration Manager
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-2. Click **Home** > **Create Exploit Guard Policy**.
+2. Select **Home** > **Create Exploit Guard Policy**.
-3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+3. Specify a name and a description, select **Exploit protection**, and then choose **Next**.
-4. Browse to the location of the exploit protection XML file and click **Next**.
+4. Browse to the location of the exploit protection XML file and select **Next**.
-5. Review the settings and click **Next** to create the policy.
+5. Review the settings, and then choose **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, select **Close**.
## Group Policy
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**.
## PowerShell
@@ -207,41 +225,41 @@ This table lists the individual **Mitigations** (and **Audits**, when available)
| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter |
| :-------------- | :--------- | :---------------------------------- | :-------------------------- |
-| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
-| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
-| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
-| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
-| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
-| Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
-| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
-| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
-| Block remote images | App-level only | BlockRemoteImages | Audit not available |
-| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
-| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
-| Disable extension points | App-level only | ExtensionPoint | Audit not available |
-| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
-| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
-| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] |
-| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] |
-| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] |
-| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] |
-| Validate handle usage | App-level only | StrictHandle | Audit not available |
-| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
-| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] |
+| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available |
+| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available |
+| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available |
+| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available
+| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available |
+| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available |
+| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` |
+| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` |
+| Block remote images | App-level only | `BlockRemoteImages` | Audit not available |
+| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` |
+| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned |
+| Disable extension points | App-level only | `ExtensionPoint` | Audit not available |
+| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` |
+| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` |
+| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] |
+| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] |
+| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] |
+| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] |
+| Validate handle usage | App-level only | `StrictHandle` | Audit not available |
+| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available |
+| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] |
\[1\]: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-\[2\]: Audit for this mitigation is not available via Powershell cmdlets.
+\[2\]: Audit for this mitigation is not available via PowerShell cmdlets.
## Customize the notification
-See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file.
## See also
-* [Evaluate exploit protection](evaluate-exploit-protection.md)
-* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)