diff --git a/it-client b/it-client new file mode 160000 index 0000000000..61e0a21977 --- /dev/null +++ b/it-client @@ -0,0 +1 @@ +Subproject commit 61e0a21977430f3c0eef1c32e398999dc090c332 diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 101b9976ad..bc6a097de4 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/05/2019 +ms.date: 04/22/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -462,15 +462,6 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - >[!IMPORTANT] - >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - **Yes (recommended).** Turns on the feature and provides the additional protection. diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png index e6c9769e68..5da4686e3f 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png index 4b66070098..89c1eae2a8 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png index 8d1815ddf9..b2fc9ee966 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png index 495fdfdb95..8af8967001 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png index c2c85c62d4..2d6cadb5c6 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png index c52e7a4fdb..f3d12e7f2f 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png and b/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index de556b2903..cd5b2e9c98 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -28,47 +28,40 @@ ms.topic: article -Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. + + +## Onboarding non-Windows machines You'll need to take the following steps to onboard non-Windows machines: -1. Turn on third-party integration -2. Run a detection test +1. Select your preferred method of onboarding: -## Turn on third-party integration + - For macOS devices, you can choose to onboard through Windows Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac). + - For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**. + + 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. -1. In the navigation pane, select **Settings** > **Onboarding**. Make sure the third-party solution is listed. + 2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices. -2. Select **Linux, macOS, iOS and Android** as the operating system. + 3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page. -3. Turn on the third-party solution integration. + 4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. -4. Click **Generate access token** button and then **Copy**. - -5. You’ll need to copy and paste the token to the third-party solution you’re using. The implementation may vary depending on the solution. - - ->[!WARNING] ->The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution. - -### Run detection test -Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. - -The file should trigger a detection and a corresponding alert on Windows Defender ATP. + +2. Run a detection test by following the instructions of the third-party solution. ## Offboard non-Windows machines -To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. +1. Follow the third-party's documentation to disconnect the third-party solution from Windows Defender ATP. -1. Follow the third-party documentation to opt-out on the third-party service side. +2. Remove permissions for the third-party solution in your Azure AD tenant. + 1. Sign in to the [Azure portal](https://portal.azure.com). + 2. Select **Azure Active Directory > Enterprise Applications**. + 3. Select the application you'd like to offboard. + 4. Select the **Delete** button. -2. In the navigation pane, select **Settings** > **Onboarding**. - -3. Turn off the third-party solution integration. - ->[!WARNING] ->If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines. ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 73bc1915d3..7a4da07a33 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -60,23 +60,28 @@ Each ASR rule contains three settings: For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). -### Enable ASR rules in Intune +### Intune -1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*. +1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**. -2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. +2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule. -3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: - +3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format: + *C:\folder*, *%ProgramFiles%\folder\file*, *path* -4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. +4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one. -### Enable ASR rules in SCCM +### SCCM -For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy). +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**. +1. Choose which rules will block or audit actions and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. -### Enable ASR rules with Group Policy +### Group Policy >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. @@ -97,7 +102,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Enable ASR rules with PowerShell +### PowerShell >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. @@ -148,7 +153,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr >[!IMPORTANT] >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. -### Enable ASR rules with MDM CSPs +### MDM Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 4cc8d86d0a..7fe9b0d463 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/29/2019 +ms.date: 04/22/2019 --- # Enable controlled folder access @@ -20,28 +20,24 @@ ms.date: 03/29/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. You can enable controlled folder access by using any of the these methods: -- Windows Security app -- Intune -- MDM -- Group Policy -- PowerShell cmdlets +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) - Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine. ->[!NOTE] ->The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**. ->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. ->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. ->See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works. ->

->Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: ->- Windows Defender Antivirus **Configure local administrator merge behavior for lists** ->- System Center Endpoint Protection **Allow users to add exclusions and overrides** ->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). +Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: +- Windows Defender Antivirus **Configure local administrator merge behavior for lists** +- System Center Endpoint Protection **Allow users to add exclusions and overrides** + +For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). ## Windows Security app @@ -51,6 +47,10 @@ You can enable controlled folder access by using any of the these methods: 3. Set the switch for **Controlled folder access** to **On**. +>[!NOTE] +>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. +>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. @@ -60,6 +60,8 @@ You can enable controlled folder access by using any of the these methods: 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) + >[!NOTE] + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -67,6 +69,15 @@ You can enable controlled folder access by using any of the these methods: Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Controlled folder access**, and click **Next**. +1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 86f640ad6f..58cb4ad00c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/29/2019 +ms.date: 04/22/2019 --- # Enable exploit protection @@ -28,11 +28,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au You can enable each mitigation separately by using any of the these methods: -- Windows Security app -- Intune -- MDM -- Group Policy -- PowerShell cmdlets +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) They are configured by default in Windows 10. @@ -124,6 +125,15 @@ CFG will be enabled for *miles.exe*. Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Exploit protection**, and click **Next**. +1. Browse to the location of the exploit protection XML file and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -231,15 +241,6 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. - - - - - - - - - ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index b1e858ebcb..8df4d37da6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/01/2019 +ms.date: 04/22/2019 --- # Enable network protection @@ -24,11 +24,11 @@ ms.date: 04/01/2019 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. You can enable network protection by using any of the these methods: -- Intune -- MDM -- Group Policy -- PowerShell cmdlets -- Registry +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [System Center Configuration Manager (SCCM)](#sccm) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) ## Intune @@ -45,9 +45,18 @@ You can enable network protection by using any of the these methods: Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. +## SCCM + +1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Click **Home** > **Create Exploit Guard Policy**. +1. Enter a name and a description, click **Network protection**, and click **Next**. +1. Choose whether to block or audit access to suspicious domains and click **Next**. +1. Review the settings and click **Next** to create the policy. +1. After the policy is created, click **Close**. + ## Group Policy -You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers. +You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 1. On a standalone computer, click **Start**, type and then click **Edit group policy**. @@ -93,9 +102,6 @@ Set-MpPreference -EnableNetworkProtection AuditMode Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. -## - -Network protection can't be turned on using the Windows Security app, but you can enable it by ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png new file mode 100644 index 0000000000..1253d68613 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png new file mode 100644 index 0000000000..00225ec18c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png new file mode 100644 index 0000000000..dfb1cb201b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png new file mode 100644 index 0000000000..2868712541 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png new file mode 100644 index 0000000000..bd2e57d73f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png new file mode 100644 index 0000000000..d7a896332a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png new file mode 100644 index 0000000000..1d16250401 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png new file mode 100644 index 0000000000..0655fdad69 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png new file mode 100644 index 0000000000..a9f11a2e95 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png new file mode 100644 index 0000000000..312167da41 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png differ