Merge branch 'wdeg-cfa' into anbic-rs4

windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 12/01/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/04/2018
 ---
 
 
@@ -40,12 +40,15 @@ ms.date: 12/01/2017
 
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 
-This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
+This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). You can choose to block, audit, or allow attempts by untrusted apps to:
+
+- Change or delete files in protected folders like the Documents folder
+- Write to the disk
 
 
 ## Enable and audit Controlled folder access
 
-You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the computer or device.
 
 For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
@@ -72,21 +75,21 @@ For further details on how audit mode works, and when you might want to use it,
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
+3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
 
 6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
-    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
-    - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
-    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+    - **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders, and no notifications will appear in the Windows event log.
+    - **Block** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders or write to disk. A notification will appear in the Windows event log with ID 1123.
+    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder or write to disk, the change will be allowed but will be recorded in the Windows event log with ID 1124. This allows you to assess the impact of this feature on your organization before deploying it.
+    - **Block disk modification only** - Malicious and suspicious apps won't be allowed to write to disk. A notification will appear in the Windows event log with ID 1123.
+    - **Audit disk modification only** - If a malicious or suspicious app attempts to write to disk, the change will be allowed but will be recorded in the Windows event log with ID 1124. This allows you to assess the impact of this feature on your organization before deploying it.
 
     ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png)
 
 >[!IMPORTANT]
->To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
 
 ### Use PowerShell to enable Controlled folder access
 
@@ -97,7 +100,7 @@ For further details on how audit mode works, and when you might want to use it,
     Set-MpPreference -EnableControlledFolderAccess Enabled
     ```
 
-You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`. To block disk writes only, specify `BlockDiskModificationOnly`. To audit disk writes only, specify `AuditDiskModificationOnly`.
 
 Use `Disabled` to turn the feature off.