From 86f3a834c35e088aa706d6ff3ccfbb223ed2f82f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:41:39 -0700 Subject: [PATCH] fixed table --- .../audit-windows-defender-exploit-guard.md | 20 ++----------------- .../evaluate-attack-surface-reduction.md | 3 ++- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 5f21c349ae..4f416ca95d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/18/2018 +ms.date: 04/02/2019 --- @@ -41,28 +41,12 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit options | How to enable audit mode | How to view events - | - | - Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) -You can also use the a custom PowerShell script that enables the features in audit mode automatically: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode: - ```PowerShell - Set-ExecutionPolicy Bypass -Force - \Enable-ExploitGuardAuditMode.ps1 - ``` - - Replace \ with the folder path where you placed the file. - - A message should appear to indicate that audit mode was enabled. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index f54bdb311e..307b13fd20 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -47,7 +47,8 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s ## Review attack surface reduction events in Windows Event Viewer -You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: +To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. + | Event ID | Description | |----------|-------------|