deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fixed table

Browse Source
This commit is contained in:
Justin Hall 2019-04-02 09:41:39 -07:00
parent 14dc5c5d52
commit 86f3a834c3
2 changed files with 4 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 09/18/2018
ms.date: 04/02/2019
---
@ -41,28 +41,12 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
Audit options | How to enable audit mode | How to view events
- | - | -
Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force
<location>\Enable-ExploitGuardAuditMode.ps1
```
Replace \<location> with the folder path where you placed the file.
A message should appear to indicate that audit mode was enabled.
## Related topics

3
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -47,7 +47,8 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
## Review attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
| Event ID | Description |
|----------|-------------|