Merge branch 'master' into issue-3352

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/05/2019
+ms.date: 04/22/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -462,15 +462,6 @@ After you've decided where your protected apps can access enterprise data on you
 **To set your optional settings**
 1.	Choose to set any or all of the optional settings:
 
-    - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
-    
-        - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. 
-	
-        - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
-
-        >[!IMPORTANT]
-        >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below.
-
     - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
 	
         - **Yes (recommended).** Turns on the feature and provides the additional protection.

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -60,23 +60,28 @@ Each ASR rule contains three settings:
 
 For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 
-### Enable ASR rules in Intune
+### Intune
 
-1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
+1. In Intune, select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
 
-2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
+2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
 
-3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
 	
+   *C:\folder*, *%ProgramFiles%\folder\file*, *path*	
 
+4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
-4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
+### SCCM
 
-### Enable ASR rules in SCCM
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+1. Choose which rules will block or audit actions and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
 
-For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
-
-### Enable ASR rules with Group Policy
+### Group Policy
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
@@ -97,7 +102,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 
 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
  
-### Enable ASR rules with PowerShell
+### PowerShell
 
 >[!WARNING]
 >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
@@ -148,7 +153,7 @@ For information about enabling ASR rules and setting exclusions in SCCM, see [Cr
 	>[!IMPORTANT]
 	>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-### Enable ASR rules with MDM CSPs
+### MDM
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable controlled folder access
@@ -20,28 +20,24 @@ ms.date: 03/29/2019
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
 
 You can enable controlled folder access by using any of the these methods:
 
-- Windows Security app
-- Intune 
-- MDM
-- Group Policy
-- PowerShell cmdlets
+- [Windows Security app](#windows-security-app)
+- [Microsoft Intune](#intune) 
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
- Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
->[!NOTE]
->The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
->See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
-><p>
->Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
->- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
->- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
+Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
+- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+
+For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
 
 ## Windows Security app
 
@@ -51,6 +47,10 @@ You can enable controlled folder access by using any of the these methods:
 
 3. Set the switch for **Controlled folder access** to **On**.
 
+>[!NOTE]
+>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
@@ -60,6 +60,8 @@ You can enable controlled folder access by using any of the these methods:
 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 
 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. 
    ![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
+   >[!NOTE]
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. 
 1. Click **OK** to save each open blade and click **Create**. 
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
@@ -67,6 +69,15 @@ You can enable controlled folder access by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
+1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/29/2019
+ms.date: 04/22/2019
 ---
 
 # Enable exploit protection
@@ -28,11 +28,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 
 You can enable each mitigation separately by using any of the these methods:
 
-- Windows Security app
-- Intune 
-- MDM
-- Group Policy
-- PowerShell cmdlets
+- [Windows Security app](#windows-security-app)
+- [Microsoft Intune](#intune) 
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
 They are configured by default in Windows 10. 
 
@@ -124,6 +125,15 @@ CFG will be enabled for *miles.exe*.
 
 Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Exploit protection**, and click **Next**.
+1. Browse to the location of the exploit protection XML file and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -231,15 +241,6 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 
-
-
-
-
-
-
-
-
-
 ## Related topics
 
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/01/2019
+ms.date: 04/22/2019
 ---
 
 # Enable network protection
@@ -24,11 +24,11 @@ ms.date: 04/01/2019
 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.  
 You can enable network protection by using any of the these methods:
 
-- Intune 
-- MDM
-- Group Policy
-- PowerShell cmdlets
-- Registry
+- [Microsoft Intune](#intune) 
+- [Mobile Device Management (MDM)](#mdm)
+- [System Center Configuration Manager (SCCM)](#sccm)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
 
 ## Intune
 
@@ -45,9 +45,18 @@ You can enable network protection by using any of the these methods:
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
 
+## SCCM
+
+1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Click **Home** > **Create Exploit Guard Policy**.
+1. Enter a name and a description, click **Network protection**, and click **Next**.
+1. Choose whether to block or audit access to suspicious domains and click **Next**.
+1. Review the settings and click **Next** to create the policy.
+1. After the policy is created, click **Close**. 
+
 ## Group Policy 
 
-You can use the following procedure to enable network protection on a standalone computer or for domain-joined computers.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 
 
 1.  On a standalone computer, click **Start**, type and then click **Edit group policy**.
 
@@ -93,9 +102,6 @@ Set-MpPreference -EnableNetworkProtection AuditMode
 
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
-## 
-
-Network protection can't be turned on using the Windows Security app, but you can enable it by 
 
 ## Related topics