initial commit

windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit.guard.md

@@ -0,0 +1,92 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
+keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+You can use Windows Defender EG to:
+
+- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
+- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
+- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
+- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
+
+Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+
+You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+
+Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include:
+ - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+ - [Windows Defender SmartScreen]
+ - [Windows Defender Device Guard]
+ - [Windows Defender Application Control]
+
+ Each of the features in Windows Defender EG have slightly different requirements:
+
+ Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license 
+ -|-|-|-
+ Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
+ Attack surface reduction | 16232 | Must be enabled | Required
+ Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
+ Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
+
+> [!NOTE]
+> Each feature's requirements are further described in the individual topics in this library.
+
+ The way in which the features can be managed, configured, and reported on also varies:
+
+  Feature | Configuration available with | Reporting available with
+ -|-|-
+ Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center  | Windows Event logs
+ Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+
+
+ ## In this library
+
+Topic | Description 
+---|---
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as  macro, script, PowerShell, USB, and Flash security policies and configuration.   
+[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity. 
+[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+
+

windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md.md

@@ -0,0 +1,176 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
+keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Protect important folders with Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
+
+
+All apps (any executable file, including .exe, .scr, .dll files and others )are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
+
+A notification will appear on the machine where the app attempted to make changes to a protected folder.
+
+Controlled folder access monitors the changes that apps make to files in certain protected folders. 
+If an app attempts to make a change to these files, and the app is blacklisted by the feature, you<6F>ll get a notification about the attempt. 
+
+The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
+
+## Requirements
+
+The following requirements must be met before controlled folder access will work:
+
+Windows 10 version | Windows Defender Antivirus
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+**Use the Windows Defender Security app to enable controlled folder access:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Set the switch for the feature to **On**
+
+    ![](images/cfa-on.png)
+
+**Use Group Policy to enable controlled folder access:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+    - **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
+    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+
+
+        ![](images/cfa-gp-enable.png)
+
+>[!IMPORTANT]
+>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+
+
+
+ ## Protect additional folders
+
+ Adding other folders to Controlled folder access can be handy, for example, if you don<6F>t store files in the default Windows libraries or you<6F>ve changed the location of the libraries away from the defaults.
+
+Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+
+You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+
+
+
+Click Protected folders in the Controlled folder access area and enter the full path of the folder you want to monitor.
+
+You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. 
+
+**Use the Windows Defender Security app to protect additional folders:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Protected folders**
+
+4. Click **Add a protected folder** and follow the prompts to add apps.
+
+    ![](images/cfa-prot-folders.png)
+
+ 
+ **Use Group Policy to protect additional folders:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
+
+
+> [!IMPORTANT]
+> Environment variables and wildcards are not supported. 
+
+ ## Allow specifc apps to make changes to controlled folders
+
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you<6F>re finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
+
+
+**Use the Windows Defender Security app to whitelist specific apps:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+
+4. Click **Add an allowed app** and follow the prompts to add apps.
+
+    ![](images/cfa-allow-app.png)
+
+ **Use Group Policy to whitelist specific apps:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
+
+
+## Review event logs for controlled folder access
+
+How do you see these event logs? Are they under specific codes/areas?
+
+Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.

windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md

@@ -0,0 +1,176 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
+keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Protect important folders with Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
+
+
+All apps (any executable file, including .exe, .scr, .dll files and others )are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
+
+A notification will appear on the machine where the app attempted to make changes to a protected folder.
+
+Controlled folder access monitors the changes that apps make to files in certain protected folders. 
+If an app attempts to make a change to these files, and the app is blacklisted by the feature, you<6F>ll get a notification about the attempt. 
+
+The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
+
+## Requirements
+
+The following requirements must be met before controlled folder access will work:
+
+Windows 10 version | Windows Defender Antivirus
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+**Use the Windows Defender Security app to enable controlled folder access:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Set the switch for the feature to **On**
+
+    ![](images/cfa-on.png)
+
+**Use Group Policy to enable controlled folder access:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+    - **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
+    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+
+
+        ![](images/cfa-gp-enable.png)
+
+>[!IMPORTANT]
+>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+
+
+
+ ## Protect additional folders
+
+ Adding other folders to Controlled folder access can be handy, for example, if you don<6F>t store files in the default Windows libraries or you<6F>ve changed the location of the libraries away from the defaults.
+
+Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+
+You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+
+
+
+Click Protected folders in the Controlled folder access area and enter the full path of the folder you want to monitor.
+
+You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. 
+
+**Use the Windows Defender Security app to protect additional folders:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Protected folders**
+
+4. Click **Add a protected folder** and follow the prompts to add apps.
+
+    ![](images/cfa-prot-folders.png)
+
+ 
+ **Use Group Policy to protect additional folders:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
+
+
+> [!IMPORTANT]
+> Environment variables and wildcards are not supported. 
+
+ ## Allow specifc apps to make changes to controlled folders
+
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you<6F>re finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
+
+
+**Use the Windows Defender Security app to whitelist specific apps:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+
+4. Click **Add an allowed app** and follow the prompts to add apps.
+
+    ![](images/cfa-allow-app.png)
+
+ **Use Group Policy to whitelist specific apps:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
+
+6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
+
+
+## Review event logs for controlled folder access
+
+How do you see these event logs? Are they under specific codes/areas?
+
+Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.

windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md

@@ -0,0 +1,92 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
+keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+You can use Windows Defender EG to:
+
+- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
+- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
+- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
+- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
+
+Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+
+You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+
+Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include:
+ - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+ - [Windows Defender SmartScreen]
+ - [Windows Defender Device Guard]
+ - [Windows Defender Application Control]
+
+ Each of the features in Windows Defender EG have slightly different requirements:
+
+ Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license 
+ -|-|-|-
+ Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
+ Attack surface reduction | 16232 | Must be enabled | Required
+ Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
+ Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
+
+> [!NOTE]
+> Each feature's requirements are further described in the individual topics in this library.
+
+ The way in which the features can be managed, configured, and reported on also varies:
+
+  Feature | Configuration available with | Reporting available with
+ -|-|-
+ Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center  | Windows Event logs
+ Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+
+
+ ## In this library
+
+Topic | Description 
+---|---
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as  macro, script, PowerShell, USB, and Flash security policies and configuration.   
+[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity. 
+[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+
+

windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -0,0 +1,92 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
+keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+You can use Windows Defender EG to:
+
+- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
+- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
+- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
+- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
+
+Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+
+You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+
+Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include:
+ - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+ - [Windows Defender SmartScreen]
+ - [Windows Defender Device Guard]
+ - [Windows Defender Application Control]
+
+ Each of the features in Windows Defender EG have slightly different requirements:
+
+ Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license 
+ -|-|-|-
+ Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
+ Attack surface reduction | 16232 | Must be enabled | Required
+ Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
+ Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
+
+> [!NOTE]
+> Each feature's requirements are further described in the individual topics in this library.
+
+ The way in which the features can be managed, configured, and reported on also varies:
+
+  Feature | Configuration available with | Reporting available with
+ -|-|-
+ Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center  | Windows Event logs
+ Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+
+
+ ## In this library
+
+Topic | Description 
+---|---
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as  macro, script, PowerShell, USB, and Flash security policies and configuration.   
+[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity. 
+[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+
+