deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 10553: fixing toc and asr topics

Browse Source 
I created anew branch because atp-phase2-justinha was messed up.
This commit is contained in:
Justin Hall 2018-08-12 15:53:51 +00:00
commit 9476d98201
37 changed files with 689 additions and 584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
windows/security/threat-protection/TOC.md
View File

@ -1,12 +1,20 @@
# [Threat protection](index.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
### [Get started](get-started.md) |
### [Overview](overview.md)
#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
#### [Auto investigation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
#### [Security posture]()
#### [Advanced hunting]()
#### [Management and APIs]()
#### [Microsoft threat protection]()
#### [Windows Defender Security Center](windows-defender-atp/use-windows-defender-advanced-threat-protection.md)
### [Get started](get-started.md)
#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
@ -20,9 +28,9 @@
##### [Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
##### [Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
##### [Next gen protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
##### [ASR controls](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
##### [Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall\evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Next gen protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
### [Onboard and configure machines to Windows Defender ATP](onboard.md)
@ -45,19 +53,19 @@
####[Configure ASR](configure1.md)
####[Configure attack surface reduction](configure-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control-deployment-guide.md)
##### [Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
##### [Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
##### [ASR controls](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
##### [Network firewall](windows-firewall\windows-firewall-with-advanced-security-deployment-guide.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Configure next generation protection](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
##### [Next generation protection in Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
##### [Next generation protection in Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
###### [Use limited periodic scanning](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy next generation protection](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
@ -144,62 +152,20 @@
### [Attack surface reduction](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
#### [Hardware-based isolation](windows-defender-application-guard\wd-app-guard-overview.md)
##### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Design](windows-defender-application-control/windows-defender-application-control-design-guide.md)
##### [Deploy](windows-defender-application-control/windows-defender-application-control-deployment-guide.md)
##### [AppLocker](windows-defender-application-control/applocker/applocker-overview.md)
#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
##### [Compare with EMET](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
##### [Evaluate](windows-defender-exploit-guard\evaluate-exploit-protection.md)
##### [Enable](windows-defender-exploit-guard\enable-exploit-protection.md)
##### [Customize](windows-defender-exploit-guard\customize-exploit-protection.md)
###### [Import, export, and deploy](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
##### [Evaluate](windows-defender-exploit-guard\evaluate-network-protection.md)
##### [Enable](windows-defender-exploit-guard\enable-network-protection.md)
##### [Troubleshoot](windows-defender-exploit-guard\troubleshoot-np.md)
#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
##### [Evaluate](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
##### [Enable](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
##### [Customize](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
#### [ASR controls](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
##### [Evaluate](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
##### [Enable](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
##### [Customize](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
##### [Troubleshoot](windows-defender-exploit-guard\troubleshoot-asr.md)
#### [Network firewall](windows-firewall\windows-firewall-with-advanced-security.md)
##### [Isolate Store Apps](windows-firewall\isolating-apps-on-your-network.md)
##### [Secure IPsec Connections](windows-firewall\securing-end-to-end-ipsec-connections-by-using-ikev2.md)
##### [PowerShell](windows-firewall\windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
##### [Design](windows-firewall\windows-firewall-with-advanced-security-design-guide.md)
##### [Deploy](windows-firewall\windows-firewall-with-advanced-security-deployment-guide.md)
### [Next gen protection](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
#### [Configure next gen protection features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
### [Endpoint detection and response - Tomer B.](edr.md)
### [Endpoint detection and response](edr.md)
####Alerts queue
##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@ -387,6 +353,12 @@
#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
@ -981,4 +953,4 @@
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
## [Change history for Threat protection](change-history-for-threat-protection.md)
## [Change history for Threat protection](change-history-for-windows-defender-atp.md)

81
windows/security/threat-protection/change-history-for-threat-protection.md
View File

@ -1,81 +0,0 @@
---
title: Change history for threat protection (Windows 10)
description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 10/31/2017
---
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
## February 2018
New or changed topic | Description
---------------------|------------
[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
## January 2018
|New or changed topic |Description |
|---------------------|------------|
|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
## November 2017
|New or changed topic |Description |
|---------------------|------------|
| [How to enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. |
## October 2017
|New or changed topic |Description |
|---------------------|------------|
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section.
|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.|
| [TPM fundamentals](/windows/security/hardware-protection/tpm/tpm-fundamentals.md)<br>[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions. |
## August 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker: Management recommendations for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
## July 2017
|New or changed topic |Description |
|---------------------|------------|
| [How Windows 10 uses the Trusted Platform Module](/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
## June 2017
|New or changed topic |Description |
|---------------------|------------|
|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](\windows\security\information-protection\windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
|[Secure the Windows 10 boot process](/windows/security/hardware-protection/secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
## May 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker Group Policy settings](/windows/security//information-protection/bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
## March 2017
|New or changed topic |Description |
|---------------------|------------|
|[How to collect Windows Information Protection (WIP) audit event logs](/windows/security//information-protection/windows-information-protection/collect-wip-audit-event-logs.md) |New |
|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
|[Limitations while using Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New |
|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New |
|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |

19
windows/security/threat-protection/change-history-for-windows-defender-atp.md Normal file
View File

@ -0,0 +1,19 @@
---
title: Change history for Windows Defender Advanced Threat Protection (Windows Defender ATP)
description: This topic lists new and updated topics in the WWindows Defender ATP content set.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/11/2018
---
# Change history for threat protection
This topic lists new and updated topics in the [Windows Defender ATP](windows-defender-atp/windows-defender-advanced-threat-protection.md) documentation.
## August 2018
New or changed topic | Description
---------------------|------------
[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform.

0
windows/security/threat-protection/configure1.md → windows/security/threat-protection/configure-attack-surface-reduction.md
View File

35
windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: Prepare and install Windows Defender Application Guard (Windows 10)
title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
ms.prod: w10
ms.mktglfcycl: manage
@ -10,7 +10,38 @@ ms.author: justinha
ms.date: 10/19/2017
---
## Prepare to install Windows Defender Application Guard
# Enable hardware-based isolation for Microsoft Edge
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Review system requirements
>[!NOTE]
>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
### Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
|Hardware|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
### Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
|Software|Description|
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
## Prepare for Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
**Standalone mode**

58
windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -36,11 +36,65 @@ Application Guard has been created to target several types of systems:
- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
## In this section
## Frequently Asked Questions
| | |
|---|----------------------------|
|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. |
||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.|
||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|
<br>
| | |
|---|----------------------------|
|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.<br><br>In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
<br>
| | |
|---|----------------------------|
|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.|
<br>
| | |
|---|----------------------------|
|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
<br>
| | |
|---|----------------------------|
|**Q:** |Why arent employees able to see their Extensions in the Application Guard Edge session?|
|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|
<br>
| | |
|---|----------------------------|
|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
<br>
| | |
|---|----------------------------|
|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?|
|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature.|
<br>
| | |
|---|----------------------------|
|**Q:** |What is the WDAGUtilityAccount local account?|
|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
<br>
## Related topics
|Topic |Description |
|------|------------|
|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|

84
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -1,8 +1,15 @@
# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
## [Overview](overview.md)
## [Overview](overview-attack-surface-reduction.md)
### [Attack surface reduction](overview-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
### [Endpoint detection and response](overview-endpoint-detection-response.md)
### [Auto investigation](../windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
@ -13,36 +20,8 @@
### [Windows Defender Security Center](use-windows-defender-advanced-threat-protection.md)
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
#### [View the Security operations dashboard - consdier moving to the relevant pillar](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
#### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
### [Attack surface reduction - Chris, Amitai, Justin](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
#### [Hardware based isolation](../windows-defender-application-guard//wd-app-guard-overview.md)
##### [Frequently Asked Questions - Windows Defender Application Guard](../windows-defender-application-guard//faq-wd-app-guard.md)
#### [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection - Chris, Amitai, Andrea](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Comparison with Enhanced Mitigation Experience Toolkit](../windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md)
##### [Enable Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Customize Exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
###### [Import, export, and deploy Exploit protection configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
#### [Network Protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
##### [Enable Network Protection](../windows-defender-exploit-guard/enable-network-protection.md)
##### [Troubleshoot Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
##### [Enable Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Customize Controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
##### [Enable Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize Attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
##### [Troubleshoot Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
### [Next gen protection - Andrea, Chris, Amitai](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
### [Endpoint detection and response - Tomer B.](../edr.md)
####Alerts queue
@ -193,16 +172,15 @@
### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
### [Evaluate Windows Defender ATP](../evaluate.md)
#### [Evaluate Attack surface reduction - ASR controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
#### [Evaluate Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
#### [Evaluate Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
#### [Evaluate Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
### [Evaluate Windows Defender ATP](../evaluate-atp.md)
#### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
#### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
#### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
#### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
#### [Attack surface reduction controls](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
#### [Evaluate Windows Defender Antivirus protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
#### [Evaluate Windows Defender Exploit Guard-rewrite](../windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md)
#### [Use auditing mode to evaluate Windows Defender Exploit Guard](../windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md)
#### [Testing scenarios using Windows Defender Application Guard in your business or organization](../windows-defender-application-guard//test-scenarios-wd-app-guard.md)
## [Onboard and configure machines to Windows Defender ATP](../onboard.md)
### [Onboard machines - need to revise this page](onboard-configure-windows-defender-advanced-threat-protection.md)
@ -223,14 +201,23 @@
##### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
###[Configure Attack surface reduction](../configure1.md)
#### [System requirements for Windows Defender Application Guard](../windows-defender-application-guard//reqs-wd-app-guard.md)
#### [Prepare and install Windows Defender Application Guard](../windows-defender-application-guard//install-wd-app-guard.md)
#### [Configure the Group Policy settings for Windows Defender Application Guard](../windows-defender-application-guard//configure-wd-app-guard.md)
###[Configure attack surface reduction](../configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Group Policy settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
#### [Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
### [Configure Next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
### [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
@ -309,10 +296,8 @@
##Troubleshoot Windows Defender ATP
### [Review AV/NEXT GEN event logs and error codes to troubleshoot issues - Amitai, etc](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
## Troubleshoot sensor state
###Troubleshoot sensor state
### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
@ -322,6 +307,11 @@
### [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
###Troubleshoot attack surface reduction
#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)

18
windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
View File

@ -15,11 +15,19 @@ ms.date: 07/01/2018
# Overview of attack surface reduction
Andrea to make intro section
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats.
| Capability | Description |
|------------|-------------|
| [Hardware-based isolation](../windows-defender-application-guard//wd-app-guard-overview.md) | protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious wbsites. |
| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. |
| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) |
| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. |
| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. |
| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV. |
| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. |
- Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
- Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
- Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
- Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

56
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,41 +11,32 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
# Reduce attack surfaces with Windows Defender Exploit Guard
# Reduce attack surfaces
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Microsoft Office 365
- Microsoft Office 2016
- Microsoft Office 2013
- Microsoft Office 2010
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -66,32 +57,16 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
## Requirements
Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
- | -
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
## Attack surface reduction rules
Windows 10, version 1803 has five new Attack surface reduction rules:
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
In addition, the following rule is available for beta testing:
- Block Office communication applications from creating child processes
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUID
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@ -102,12 +77,11 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
The rules apply to the following Office apps:
Supported Office apps:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
@ -127,7 +101,7 @@ This rule blocks the following file types from being run or launched from an ema
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block Office applications from creating child processes
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -215,7 +189,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes (available for beta testing)
### Rule: Block only Office communication applications from creating child processes (available for beta testing)
Office communication apps will not be allowed to create child processes. This includes Outlook.

31
windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -1,6 +1,6 @@
---
title: Test how Windows Defender EG features work
description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
title: Test how Windows Defender ATP features work
description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,35 +11,32 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Use audit mode to evaluate Windows Defender Exploit Guard features
# Use audit mode
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
@ -76,10 +73,10 @@ You can also use the a custom PowerShell script that enables the features in aud
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md)
- [Protect your network](network-protection-exploit-guard.md)
- [Protect important folders](controlled-folders-exploit-guard.md)

17
windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
View File

@ -1,5 +1,5 @@
---
title: Submit cab files related to Windows Defender EG problems
title: Submit cab files related to problems
description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues.
keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction
search.product: eADQiWindows 10XVcnh
@ -11,17 +11,16 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Collect diagnostic data for Windows Defender Exploit Guard file submissions
# Collect diagnostic data for file submissions
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- IT administrators
@ -64,7 +63,7 @@ Before attempting this process, ensure you have met all required pre-requisites
## Related topics
- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md)
- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md)
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Troubleshoot ASR rules](troubleshoot-asr.md)
- [Troubleshoot Network protection](troubleshoot-np.md)

30
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -1,6 +1,6 @@
---
title: Help prevent ransomware and threats from encrypting and changing files
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,27 +21,24 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -58,12 +55,9 @@ The protected folders include common system folders, and you can [add additional
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled.
## Requirements
Windows 10 version | Windows Defender Antivirus
-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
## Review Controlled folder access events in Windows Event Viewer

34
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,31 +11,29 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
# Customize Attack surface reduction
**Applies to:**
- Windows 10 Enterprise edition, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
@ -54,7 +52,7 @@ This could potentially allow unsafe files to run and infect your devices.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
@ -64,7 +62,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
Rule description | Rule honors exclusions | GUID
-|:-:|-
Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
@ -76,7 +74,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
@ -110,7 +108,7 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add
### Use MDM CSPs to exclude files and folders
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@ -122,7 +120,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

53
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -1,5 +1,5 @@
---
title: Add additional folders and apps to be protected by Windows 10
title: Add additional folders and apps to be protected
description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
search.product: eADQiWindows 10XVcnh
@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,24 +21,23 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
@ -59,7 +58,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
@ -70,26 +69,22 @@ You can use the Windows Defender Security Center app or Group Policy to add and
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
3. Under the **Controlled folder access** section, click **Protected folders**
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
### Use Group Policy to protect additional folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
> [!NOTE]
> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
### Use PowerShell to protect additional folders
@ -112,7 +107,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad
### Use MDM CSPs to protect additional folders
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
@ -147,7 +142,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@ -162,7 +157,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"
```
For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
For example, to add the executable *test.exe* located in the folder *C:\apps*, the cmdlet would be as follows:
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
@ -181,7 +176,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to
### Use MDM CSPs to allow specific apps
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
@ -190,4 +185,4 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md)

21
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,33 +11,30 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Customize Exploit protection
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
@ -299,7 +296,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)

28
windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 08/08/2018
---
@ -21,35 +21,25 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Enhanced Mitigation Experience Toolkit version 5.5 (latest version)
**Audience**
- Enterprise security administrators
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10.
>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP.
>
>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard.
In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP.
Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques.
EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
After July 31, 2018, it will not be supported.
For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)

31
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
@ -20,23 +20,22 @@ ms.date: 07/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
@ -53,7 +52,7 @@ You can manually add the rules by using the GUIDs in the following table:
Rule description | GUID
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@ -64,7 +63,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
@ -76,7 +75,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
@ -134,6 +133,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

27
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,21 +21,20 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
@ -58,7 +57,7 @@ For further details on how audit mode works, and when you might want to use it,
>Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include:
>- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
>- System Center Endpoint Protection **Allow users to add exclusions and overrides**
>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
### Use the Windows Defender Security app to enable Controlled folder access
@ -102,11 +101,11 @@ Use `Disabled` to turn the feature off.
### Use MDM CSPs to enable Controlled folder access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)

21
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,26 +21,25 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in Exploit protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).

29
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -20,23 +20,22 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
@ -55,9 +54,9 @@ For background information on how audit mode works, and when you might want to u
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
@ -89,10 +88,10 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable or audit Network protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect your network](network-protection-exploit-guard.md)
- [Evaluate Network protection](evaluate-network-protection.md)

14
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -6,15 +6,14 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: justinha
author: brianlic-msft
ms.date: 04/19/2018
ms.date: 08/08/2018
---
# Enable virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
@ -56,7 +55,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computers hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.<br>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 1607 and above
#### For Windows 10 version 1607 and later
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@ -110,7 +109,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
#### For Windows 1511 and below
#### For Windows 10 version 1511 and earlier
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@ -177,8 +176,6 @@ This field helps to enumerate and report state on the relevant security properti
| **5.** | If present, NX protections are available. |
| **6.** | If present, SMM mitigations are available. |
> [!NOTE]
> 4, 5, and 6 were added as of Windows 10, version 1607.
#### InstanceIdentifier
@ -198,9 +195,6 @@ This field describes the required security properties to enable virtualization-b
| **5.** | If present, NX protections are needed. |
| **6.** | If present, SMM mitigations are needed. |
> [!NOTE]
> 4, 5, and 6 were added as of Windows 10, version 1607.
#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

35
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -19,25 +19,24 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
@ -179,14 +178,14 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack surface reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

30
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -19,24 +19,22 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
@ -54,7 +52,7 @@ Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder acce
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
@ -83,7 +81,7 @@ You can enable Controlled folder access, run the tool, and see what the experien
## Review Controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
@ -133,5 +131,5 @@ See the main [Protect important folders with Controlled folder access](controlle
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode](audit-windows-defender-exploit-guard.md)

19
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -20,20 +20,19 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
@ -94,7 +93,7 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
## Review Exploit protection events in Windows Event Viewer
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.

19
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
# Evaluate Network protection
@ -20,19 +20,18 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
@ -72,7 +71,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
## Review Network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -25,9 +25,9 @@ ms.date: 05/30/2018
- Windows Server 2016
**Audience**
- Enterprise security administrators
Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.

27
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -1,5 +1,5 @@
---
title: Import custom views to see Windows Defender Exploit Guard events
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
@ -12,38 +12,37 @@ ms.date: 04/16/2018
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# View Windows Defender Exploit Guard events
# View attack surface reduction events
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
## Use custom views to review Windows Defender Exploit Guard features
## Use custom views to review attack surface reduction capabilities
You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
@ -143,10 +142,10 @@ You can also manually navigate to the event area that corresponds to the Windows
## List of all Windows Defender Exploit Guard events
## List of attack surface reduction events
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:

131
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -21,22 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
@ -115,13 +100,109 @@ Security-Mitigations | 24 | ROP SimExec enforce
WER-Diagnostics | 5 | CFG Block
Win32K | 260 | Untrusted Font
## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
>[!IMPORTANT]
>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP.
>
>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP.
Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
After July 31, 2018, it will not be supported.
For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
## Feature comparison
The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
&nbsp; | Windows Defender Exploit Guard | EMET
-|:-:|:-:
Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]<br />Ends after July 31, 2018
Updates | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]<br />No planned updates or development
Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited set of mitigations
Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited ruleset configuration only for modules (no processes)
Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Available
Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited Windows event log monitoring
Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
<span id="fn1"></span>([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
<span id="fn2"></span>([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
## Mitigation comparison
The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
-|:-:|:-:
Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
>[!NOTE]
>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
>
>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
## In this section
Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network.
[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.

21
windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -21,20 +21,21 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
@ -166,7 +167,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
@ -182,7 +183,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)

7
windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 02/20/2018
ms.date: 08/09/2018
---
@ -21,8 +21,9 @@ ms.date: 02/20/2018
**Applies to:**
- Windows 10, version 1709
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.

19
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -20,20 +20,19 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

4
windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
View File

@ -12,8 +12,8 @@ ms.date: 10/20/2017
# Requirements and deployment planning guidelines for virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.

5
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -18,10 +18,9 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- IT administrators

19
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -21,19 +21,18 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- PowerShell
When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
@ -205,7 +204,7 @@ You can manually remove unwanted mitigations in Windows Defender Security Center
</root>
```
If you havent already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
If you havent already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
## Related topics

6
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
View File

@ -11,16 +11,16 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 08/09/2018
---
# Troubleshoot Network protection
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- IT administrators

23
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 08/09/2018
---
@ -21,13 +21,12 @@ ms.date: 08/08/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
@ -52,13 +51,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md)
- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
## Requirements
@ -91,9 +86,9 @@ The following table lists which features in Windows Defender EG require enabling
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.

109
windows/security/threat-protection/windows-firewall/TOC.md Normal file
View File

@ -0,0 +1,109 @@
# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
## [Design Guide](windows-firewall-with-advanced-security-design-guide.md)
### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md)
#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md)
### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
#### [Basic Design](basic-firewall-policy-design.md)
#### [Domain Isolation Design](domain-isolation-policy-design.md)
#### [Server Isolation Design](server-isolation-policy-design.md)
#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md)
### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
#### [Basic Design Example](firewall-policy-design-example.md)
#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md)
#### [Server Isolation Design Example](server-isolation-policy-design-example.md)
#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md)
### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
#### [Gathering the Info You Need](gathering-the-information-you-need.md)
##### [Network](gathering-information-about-your-current-network-infrastructure.md)
##### [Active Directory](gathering-information-about-your-active-directory-deployment.md)
##### [Computers](gathering-information-about-your-devices.md)
##### [Other Relevant Information](gathering-other-relevant-information.md)
#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md)
#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
##### [Exemption List](exemption-list.md)
##### [Isolated Domain](isolated-domain.md)
##### [Boundary Zone](boundary-zone.md)
##### [Encryption Zone](encryption-zone.md)
#### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
##### [Documenting the Zones](documenting-the-zones.md)
##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
###### [Planning Network Access Groups](planning-network-access-groups.md)
###### [Planning the GPOs](planning-the-gpos.md)
####### [Firewall GPOs](firewall-gpos.md)
######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
####### [Isolated Domain GPOs](isolated-domain-gpos.md)
######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
####### [Boundary Zone GPOs](boundary-zone-gpos.md)
######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
####### [Encryption Zone GPOs](encryption-zone-gpos.md)
######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
####### [Server Isolation GPOs](server-isolation-gpos.md)
###### [Planning GPO Deployment](planning-gpo-deployment.md)
### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
#### [Configure Authentication Methods](configure-authentication-methods.md)
#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
#### [Create a Group Policy Object](create-a-group-policy-object.md)
#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md)
#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)