Fixed XML.

windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md

@@ -0,0 +1,217 @@
+---
+title: Deploy Exploit protection mitigations across your organization
+keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
+description: Remove unwanted Exploit protection mitigations.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 01/31/18
+---
+
+
+
+# Troubleshoot Exploit protection mitigations
+
+
+**Applies to:**
+
+- Windows 10, version 1709
+
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- PowerShell
+
+
+When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
+
+You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
+
+1. Remove all process mitigations with this PowerShell script:
+
+    ```PowerShell
+    # Check if Admin-Privileges are available
+    function Test-IsAdmin {
+        ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
+    }
+
+    # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
+    # the key is deleted as well
+    function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
+        Try {
+            if ($Key.GetValue("MitigationOptions")) {
+                Write-Host "Removing MitigationOptions for:      " $Name
+                Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+            }
+            if ($Key.GetValue("MitigationAuditOptions")) {
+                Write-Host "Removing MitigationAuditOptions for: " $Name
+                Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+            }
+        
+            # Remove the FilterFullPath value if there is nothing else
+            if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
+                Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
+            }
+
+            # If the key is empty now, delete it
+            if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
+                Write-Host "Removing empty Entry:                " $Name
+                Remove-Item -Path $Key.PSPath -ErrorAction Stop
+            }
+        }
+        Catch { 
+            Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" 
+        }
+    }
+
+    # Delete all ExploitGuard ProcessMitigations
+    function Remove-All-ProcessMitigations {
+        if (!(Test-IsAdmin)) {
+            throw "ERROR: No Administrator-Privileges detected!"; return 
+        }
+
+        Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
+            $MitigationItem = $_; 
+            $MitigationItemName = $MitigationItem.PSChildName
+
+            Try {
+                Remove-ProcessMitigations $MitigationItem $MitigationItemName
+
+                # "UseFilter" indicate full path filters may be present
+                if ($MitigationItem.GetValue("UseFilter")) {
+                    Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
+                        $FullPathItem = $_
+                        if ($FullPathItem.GetValue("FilterFullPath")) {
+                            $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
+                            Write-Host "Removing FullPathEntry:              " $Name
+                            Remove-ProcessMitigations $FullPathItem $Name
+                        }
+                
+                        # If there are no subkeys now, we can delete the "UseFilter" value
+                        if ($MitigationItem.SubKeyCount -eq 0) {
+                            Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
+                        }
+                    }
+                }
+                if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
+                    Write-Host "Removing empty Entry:                " $MitigationItemName
+                    Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
+                }
+            }
+            Catch { 
+                Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" 
+            }
+        }
+    }
+
+    # Delete all ExploitGuard System-wide Mitigations
+    function Remove-All-SystemMitigations {
+
+        if (!(Test-IsAdmin)) { 
+            throw "ERROR: No Administrator-Privileges detected!"; return 
+        }
+    
+        $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
+
+        Try { 
+            if ($Kernel.GetValue("MitigationOptions")) 
+                { Write-Host "Removing System MitigationOptions"
+                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
+                }
+            if ($Kernel.GetValue("MitigationAuditOptions")) 
+                { Write-Host "Removing System MitigationAuditOptions"
+                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
+                }
+        } Catch {
+            Write-Host "ERROR:" $_.Exception.Message "- System"
+        }
+    }
+
+    Remove-All-ProcessMitigations
+    Remove-All-SystemMitigations
+    ```
+
+2.	Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
+
+    ```XML
+    <?xml version="1.0" encoding="UTF-8"?>
+	-<root>
+	    <SystemConfig/>
+	   -<AppConfig Executable="ExtExport.exe">
+		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+		</AppConfig>
+	   -<AppConfig Executable="ie4uinit.exe">
+		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+	    </AppConfig>
+	   -<AppConfig Executable="ieinstal.exe">
+		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+        </AppConfig>
+       -<AppConfig Executable="ielowutil.exe">
+	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+        </AppConfig>
+	   -<AppConfig Executable="ieUnatt.exe">
+	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+        </AppConfig>
+	   -<AppConfig Executable="iexplore.exe">
+	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+		</AppConfig>
+	   -<AppConfig Executable="mscorsvw.exe">
+		   <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+        </AppConfig>
+       -<AppConfig Executable="msfeedssync.exe">
+           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+        </AppConfig>
+       -<AppConfig Executable="mshta.exe">
+           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+        </AppConfig>
+       -<AppConfig Executable="ngen.exe">
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+        </AppConfig>
+       -<AppConfig Executable="ngentask.exe">
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+        </AppConfig>
+       -<AppConfig Executable="PresentationHost.exe">
+           <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/>
+           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/>
+           <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/>
+           <Heap OverrideHeap="false" TerminateOnError="true"/>
+        </AppConfig>
+       -<AppConfig Executable="PrintDialog.exe">
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+        </AppConfig>
+        <AppConfig Executable="PrintIsolationHost.exe"/>
+       -<AppConfig Executable="runtimebroker.exe">
+	       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+		</AppConfig>
+		    <AppConfig Executable="splwow64.exe"/>
+        <AppConfig Executable="spoolsv.exe"/>
+        <AppConfig Executable="svchost.exe"/>
+       -<AppConfig Executable="SystemSettings.exe">
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+        </AppConfig>
+    </root>
+    ```
+
+If you haven’t already, it is a good idea to download and use the [Windows Security Baselines](windows-security-baselines.md) to complete your Exploit protection customization.
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Enable Exploit protection](enable-exploit-protection.md)
+- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)